CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server
CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Archiva 2.0.0 - 2.2.3
The unsupported versions 1.x are also affected.
It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism.
Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.
Mitigation:
It is highly recommended to upgrade to Archiva 2.2.4 or higher, where
additional validations are implemented to prevent such malicious
parameter values.
As intermediate action you may reduce the number
of users that are allowed to upload to archiva and make sure, that the
archiva run user may have only
write permission to the directories needed.
References:
http://archiva.apache.org/security.html#CVE-2019-0214
The newest Archiva version can be downloaded from:
http://archiva.apache.org/download.cgi
CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server的更多相关文章
- struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite
catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...
- 使用Apache Archiva搭建Maven Repository Server
关于 Maven 私服 的搭建 这里 采用 Apache Archiva 的 Standanlone 模式来安装 1) 首先到archiva主页上下载最新版(Archiva 2.2.1 Standal ...
- apache php upload file
/********************************************************************************* * apache php uplo ...
- 使用Apache Archiva管理Maven仓库
1 . 私服简介 私服是架设在局域网的一种特殊的远程仓库,目的是代理远程仓库及部署第三方构件.有了私服之后,当 Maven 需要下载构件时,直接请求私服,私服上存在则下载到本地仓库:否则,私服请求外部 ...
- CVE-2019-0213: Apache Archiva Stored XSS
CVE-2019-0213: Apache Archiva Stored XSS Severity: Low Vendor:The Apache Software Foundation Version ...
- 奇葩问题:This file could not be checked in because the original version of the file on the server was moved or deleted. A new version of this file has been saved to the server, but your check-in comments were not saved
"This file could not be checked in because the original version of the file on the server was m ...
- Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server'
Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server' http://lindows.iteye.com/blog/456637 ht ...
- 重启Apache报错apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName ... waiting的解决方法
启动apache提示 : apache2: Could not reliably determine the server's fully qualified domain name, using 1 ...
- 启动httpd服务:SSLCertificateFile: file '/var/www/miq/vmdb/certs/server.cer' does not exist or is empty
启动httpd服务,失败: [root@test vmdb]# service httpd restart Stopping httpd: [FAILED] Starting httpd: Synta ...
随机推荐
- c语言 GPS nmealib学习笔记
.nmealib简介 nmealib是一个基于C语言的用于nmea协议的开源库.虽然nmea体积小巧,但是却具备了不少功能. 分析NMEA语句并把结果保存在合适的C语言结构体中. 除了解析NMEA语句 ...
- iOS 百度地图报私有api的解决方案
1.Build Settings-->搜索other linker Flags-->将other linker Flags设置为-objc 2.用2.1.1的版本的百度地图 3.换高德地图
- 【Leetcode_easy】821. Shortest Distance to a Character
problem 821. Shortest Distance to a Character solution1: class Solution { public: vector<int> ...
- css+html 实现 光晕 光圈
<style> html { height: 100%;}body { height: 100%; background-color: #000; margin: 0; padding: ...
- iOS-浅谈iOS中三种生成随机数方法
ios 有如下三种随机数方法:
- netcore部署
配置的几种方式: https://www.cnblogs.com/humin/p/10330983.html Linux下配置sdk: https://dotnet.microsoft.com/dow ...
- 解决访问github等网站慢或下载失败的问题
最近老大push项目,正常的git clone每次都是下载一部分就断掉了.下面介绍网上找到的两种方法: 方法一: 1.打开网站https://www.ipaddress.com/: 2.分别在上面打开 ...
- 基于SymmetricDS的多主一从数据库同步方案
原文参照:https://blog.csdn.net/seattle0564/article/details/22096901 下面就记录下测试的一款第三方同步方案SymmetricDS(以下简称S) ...
- Docker准备
1. 引言 Docker是目前最流行的容器技术,是一个开源的引擎,可以轻松的为任何应用创建一个轻量级的.可移植的.自给自足的容器.是开发人员和系统管理员使用容器开发,部署和运行应用程序的平台.也许我们 ...
- JSON文件转为Excel
前言 今天在帮老师做年终党统的时候,发现管理平台上没有将正在发展的同志的信息导出功能,只能一个一个点击进去查看,操作起来步骤很多很麻烦,所以我就想到了"扒"一下这个网页,扒下来发现 ...