CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
    Apache Archiva 2.0.0 - 2.2.3
    The unsupported versions 1.x are also affected.

It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism.
Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Mitigation:
 
It is highly recommended to upgrade to Archiva 2.2.4 or higher, where
additional validations are implemented to prevent such malicious
parameter values.
  As intermediate action you may reduce the number
of users that are allowed to upload to archiva and make sure, that the
archiva run user may have only
  write permission to the directories needed.

References:
http://archiva.apache.org/security.html#CVE-2019-0214

The newest Archiva version can be downloaded from:
http://archiva.apache.org/download.cgi

CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server的更多相关文章

  1. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  2. 使用Apache Archiva搭建Maven Repository Server

    关于 Maven 私服 的搭建 这里 采用 Apache Archiva 的 Standanlone 模式来安装 1) 首先到archiva主页上下载最新版(Archiva 2.2.1 Standal ...

  3. apache php upload file

    /********************************************************************************* * apache php uplo ...

  4. 使用Apache Archiva管理Maven仓库

    1 . 私服简介 私服是架设在局域网的一种特殊的远程仓库,目的是代理远程仓库及部署第三方构件.有了私服之后,当 Maven 需要下载构件时,直接请求私服,私服上存在则下载到本地仓库:否则,私服请求外部 ...

  5. CVE-2019-0213: Apache Archiva Stored XSS

    CVE-2019-0213: Apache Archiva Stored XSS Severity: Low Vendor:The Apache Software Foundation Version ...

  6. 奇葩问题:This file could not be checked in because the original version of the file on the server was moved or deleted. A new version of this file has been saved to the server, but your check-in comments were not saved

    "This file could not be checked in because the original version of the file on the server was m ...

  7. Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server'

    Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server' http://lindows.iteye.com/blog/456637 ht ...

  8. 重启Apache报错apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName ... waiting的解决方法

    启动apache提示 : apache2: Could not reliably determine the server's fully qualified domain name, using 1 ...

  9. 启动httpd服务:SSLCertificateFile: file '/var/www/miq/vmdb/certs/server.cer' does not exist or is empty

    启动httpd服务,失败: [root@test vmdb]# service httpd restart Stopping httpd: [FAILED] Starting httpd: Synta ...

随机推荐

  1. 阶段5 3.微服务项目【学成在线】_day18 用户授权_01-用户授权业务流程分析

    1 用户授权业务流程 用户授权的业务流程如下: 业务流程说明如下: 1.用户认证通过,认证服务向浏览器cookie写入token( 身份令牌) 2.前端携带token请求用户中心服务获取jwt令牌 前 ...

  2. sqlmap开源 测试sql注入的工具 各种参考链接

    https://www.cnblogs.com/insane-Mr-Li/p/10150165.html https://github.com/sqlmapproject/sqlmap 官网 http ...

  3. MGR集群搭建

    MGR全称MySQL Group Replication(Mysql组复制),是MySQL官方于2016年12月推出的一个全新的高可用与高扩展的解决方案.MGR提供了高可用.高扩展.高可靠的MySQL ...

  4. LeetCode_198. House Robber

    198. House Robber Easy You are a professional robber planning to rob houses along a street. Each hou ...

  5. 01.轮播图之一 :scrollView 轮播

    接触的每个项目,都会用到轮播图的部分,轮播图都写了好多次,用过各种各样的方式写: 这篇总结的博客,我将分为几个篇幅写,希望写完这几篇博客之后,我能总结出自己写这个轮播的优缺和不同之处 scrollvi ...

  6. 在Electron运行的子页面无法访问window.opener解决方案

    我们的首页有一个window.open打开子页面后反向刷新父页面的功能,但是主页面如果开启了nodeIntegration=true,这个时候再设置nativeWindowOpen是不启作用的.再被w ...

  7. react做的简单的购物车

    ###第一步 :首先电脑上已经安装react的脚手架 cnpm  install    create-react-app   -g ###第二步 :创建项目 creact-react-app   项目 ...

  8. docker 概念

    前言: docker是一个开源的应用容器引擎,让开发这可以打包他们的应用以及依赖包到一个可以移植的容器中,然后发布到任何流行的Linux机器上,也可以实现虚拟化.容器是完全使用沙箱机制,互相之间不会有 ...

  9. Windows 10 下使用 MinGW-w64 编译 OpenCV-4.1.1

    1. 下载安装 CMake 2. 下载安装 MinGW-w64,假设安装于 X:\path\to\MinGW-w64 此处注意选择 POSIX 版本而非 Win32 版本,因为 OpenCV 调用了标 ...

  10. CenOS 7 安装Redis

    1.Redis介绍 Redis是一个使用ANSI C编写的开源.支持网络.基于内存.可选持久性的键值对存储数据库.从2015年6月开始,Redis的开发由Redis Labs赞助,而2013年5月至2 ...