CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
    Apache Archiva 2.0.0 - 2.2.3
    The unsupported versions 1.x are also affected.

It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism.
Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Mitigation:
 
It is highly recommended to upgrade to Archiva 2.2.4 or higher, where
additional validations are implemented to prevent such malicious
parameter values.
  As intermediate action you may reduce the number
of users that are allowed to upload to archiva and make sure, that the
archiva run user may have only
  write permission to the directories needed.

References:
http://archiva.apache.org/security.html#CVE-2019-0214

The newest Archiva version can be downloaded from:
http://archiva.apache.org/download.cgi

CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server的更多相关文章

  1. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  2. 使用Apache Archiva搭建Maven Repository Server

    关于 Maven 私服 的搭建 这里 采用 Apache Archiva 的 Standanlone 模式来安装 1) 首先到archiva主页上下载最新版(Archiva 2.2.1 Standal ...

  3. apache php upload file

    /********************************************************************************* * apache php uplo ...

  4. 使用Apache Archiva管理Maven仓库

    1 . 私服简介 私服是架设在局域网的一种特殊的远程仓库,目的是代理远程仓库及部署第三方构件.有了私服之后,当 Maven 需要下载构件时,直接请求私服,私服上存在则下载到本地仓库:否则,私服请求外部 ...

  5. CVE-2019-0213: Apache Archiva Stored XSS

    CVE-2019-0213: Apache Archiva Stored XSS Severity: Low Vendor:The Apache Software Foundation Version ...

  6. 奇葩问题:This file could not be checked in because the original version of the file on the server was moved or deleted. A new version of this file has been saved to the server, but your check-in comments were not saved

    "This file could not be checked in because the original version of the file on the server was m ...

  7. Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server'

    Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server' http://lindows.iteye.com/blog/456637 ht ...

  8. 重启Apache报错apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName ... waiting的解决方法

    启动apache提示 : apache2: Could not reliably determine the server's fully qualified domain name, using 1 ...

  9. 启动httpd服务:SSLCertificateFile: file '/var/www/miq/vmdb/certs/server.cer' does not exist or is empty

    启动httpd服务,失败: [root@test vmdb]# service httpd restart Stopping httpd: [FAILED] Starting httpd: Synta ...

随机推荐

  1. GPS nmealib学习 问题

    When building on Ubuntu 12.x the build fails with the following error… gcc  samples/generate/main.o ...

  2. myeclipse打开jsp后卡死的问题详解

    myeclipse打开jsp后卡死的问题详解   1,打开 Window -> Preferences -> General -> Editors -> File Associ ...

  3. Jenkins占用内存较大解决办法

    主机启动jenkins后导致内存占用较大 登录主机top按键M按消耗内存排序 未调优前查看进程 修改配置文件 /usr/local/jenkins-tomcat/bin/catalina.sh 增加一 ...

  4. 如何实现批量截取整个网页完整长截图,批量将网页保存成图片web2pic/webshot/screencapture/html2picture

    如何实现批量截取整个网页完整长截图,批量将网页保存成图片web2pic/webshot/screencapture [困扰?疑问?]: 您是否正受到:如何将网页保存为图片的困扰?网页很高很长截图截不全 ...

  5. MySQL“Another MySQL daemon already running with the same unix socket”的处理

    方法一: rm var/lib/mysql/mysql.sock service mysqld start 方法二: mv /var/lib/mysql/mysql.sock /var/lib/mys ...

  6. 最新 拉卡拉java校招面经 (含整理过的面试题大全)

    从6月到10月,经过4个月努力和坚持,自己有幸拿到了网易雷火.京东.去哪儿.拉卡拉等10家互联网公司的校招Offer,因为某些自身原因最终选择了拉卡拉.6.7月主要是做系统复习.项目复盘.LeetCo ...

  7. Django简介 --Python Web

    Python Web主流的三种框架:Django.Flask.Tornado,使用频度:Django>Flask>Tornado 一.设计模式 MVC:模型(Model).View(视图) ...

  8. c# 面向对象/继承关系设计

    继承 RTTI RTTI 概念 RTTI(Run Time Type Identification)即通过运行时类型识别,程序能够使用基类的指针或引用来检查着这些指针或引用所指的对象的实际派生类型. ...

  9. Python习题003

    作业一:将字符串”k:1/k1:2/k2:3/k3:4”处理成字典(比较难) 方法一 list = 'k:1/k1:2/k2:3/k3:4' new_list = list.split("/ ...

  10. 20191030-Python实现闭包

    打算在过年前每天总结一个知识点,所以把自己总结的知识点分享出来,中间参考了网络上很多大神的总结,但是发布时候因为时间太久可能没有找到原文链接,如果侵权请联系我删除 20191030:闭包 首先一个函数 ...