CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
    Apache Archiva 2.0.0 - 2.2.3
    The unsupported versions 1.x are also affected.

It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism.
Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Mitigation:
 
It is highly recommended to upgrade to Archiva 2.2.4 or higher, where
additional validations are implemented to prevent such malicious
parameter values.
  As intermediate action you may reduce the number
of users that are allowed to upload to archiva and make sure, that the
archiva run user may have only
  write permission to the directories needed.

References:
http://archiva.apache.org/security.html#CVE-2019-0214

The newest Archiva version can be downloaded from:
http://archiva.apache.org/download.cgi

CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server的更多相关文章

  1. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  2. 使用Apache Archiva搭建Maven Repository Server

    关于 Maven 私服 的搭建 这里 采用 Apache Archiva 的 Standanlone 模式来安装 1) 首先到archiva主页上下载最新版(Archiva 2.2.1 Standal ...

  3. apache php upload file

    /********************************************************************************* * apache php uplo ...

  4. 使用Apache Archiva管理Maven仓库

    1 . 私服简介 私服是架设在局域网的一种特殊的远程仓库,目的是代理远程仓库及部署第三方构件.有了私服之后,当 Maven 需要下载构件时,直接请求私服,私服上存在则下载到本地仓库:否则,私服请求外部 ...

  5. CVE-2019-0213: Apache Archiva Stored XSS

    CVE-2019-0213: Apache Archiva Stored XSS Severity: Low Vendor:The Apache Software Foundation Version ...

  6. 奇葩问题:This file could not be checked in because the original version of the file on the server was moved or deleted. A new version of this file has been saved to the server, but your check-in comments were not saved

    "This file could not be checked in because the original version of the file on the server was m ...

  7. Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server'

    Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server' http://lindows.iteye.com/blog/456637 ht ...

  8. 重启Apache报错apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName ... waiting的解决方法

    启动apache提示 : apache2: Could not reliably determine the server's fully qualified domain name, using 1 ...

  9. 启动httpd服务:SSLCertificateFile: file '/var/www/miq/vmdb/certs/server.cer' does not exist or is empty

    启动httpd服务,失败: [root@test vmdb]# service httpd restart Stopping httpd: [FAILED] Starting httpd: Synta ...

随机推荐

  1. Python - celery 相关报错 - AttributeError: type object '_multiprocessing.win32' has no attribute 'WAIT_OBJECT_0'

    报错场景 执行   celery worker -A tasks -l INFO  打开 worker 的时候报错无法进行 报错解决 Celery 的版本过高, 进行降级处理即可 pip instal ...

  2. IfcAxis2Placement3D IFC构件的位置和方向

    IfcAxis2Placement3D定义了三维空间中物体的位置和方向,由三部分组成: The attribute Axis defines the Z direction, RefDirection ...

  3. React之简介

    官网链接React 用于构建用户界面的 JavaScript 库 特色 声明式: React 使创建交互式 UI 变得轻而易举.为你应用的每一个状态设计简洁的视图,当数据改变时 React 能有效地更 ...

  4. fetch jsonp请求接口

    function loadTbbRec() { var fetchJsonp = require('fetch-jsonp'); fetchJsonp(ext.info.tbbRecUrl, { he ...

  5. 利用PHP应用程序中的远程文件包含(RFI)并绕过远程URL包含限制

    来源:http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.h ...

  6. gunicorn的log如何传递给django,由django管理

    gunicorn配置文件为gunicorn_config.py里面有日志的配置 # errorlog = '/home/admin/output/erebus/logs/gunicorn_error. ...

  7. vmware虚拟机网络不通原因之一

    我是在华硕笔记本上安装的vmware workstation.而且我用虚拟机的网络模式喜欢选“桥接”模式. 最近在虚拟上做实验,打开虚拟机windows 2003后,网卡配置静态ip后显示状态正常,但 ...

  8. 如何提高程序员的键盘使用效率?——ASE第一次作业

    引言 对于程序员来说,键盘输入是我们工作的基本方式,当你的手指在键盘上飞起来的时候,不但能够提高工作效率,还常常引来旁人羡慕的目光.下面将从不同方面介绍一些提高键盘使用效率的方法. 程序员最主要的文字 ...

  9. 成为java架构师的技能

    0: 数据结构算法 数组.链表.堆.栈.队列.Hash表.二叉树等; 算法思想:递推.递归.穷举.贪心.分治.动态规划.迭代.分枝界限; 排序查找 B+/B-数.红黑树.图等; 图的深度优先搜索.图的 ...

  10. 【VS开发】【miscellaneous】windows(64位)下使用curl命令

    windows(64位)下使用curl命令 Curl命令可以通过命令行的方式,执行Http请求.在Elasticsearch中有使用的场景,因此这里研究下如何在windows下执行curl命令. 工具 ...