CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
    Apache Archiva 2.0.0 - 2.2.3
    The unsupported versions 1.x are also affected.

It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism.
Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Mitigation:
 
It is highly recommended to upgrade to Archiva 2.2.4 or higher, where
additional validations are implemented to prevent such malicious
parameter values.
  As intermediate action you may reduce the number
of users that are allowed to upload to archiva and make sure, that the
archiva run user may have only
  write permission to the directories needed.

References:
http://archiva.apache.org/security.html#CVE-2019-0214

The newest Archiva version can be downloaded from:
http://archiva.apache.org/download.cgi

CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server的更多相关文章

  1. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  2. 使用Apache Archiva搭建Maven Repository Server

    关于 Maven 私服 的搭建 这里 采用 Apache Archiva 的 Standanlone 模式来安装 1) 首先到archiva主页上下载最新版(Archiva 2.2.1 Standal ...

  3. apache php upload file

    /********************************************************************************* * apache php uplo ...

  4. 使用Apache Archiva管理Maven仓库

    1 . 私服简介 私服是架设在局域网的一种特殊的远程仓库,目的是代理远程仓库及部署第三方构件.有了私服之后,当 Maven 需要下载构件时,直接请求私服,私服上存在则下载到本地仓库:否则,私服请求外部 ...

  5. CVE-2019-0213: Apache Archiva Stored XSS

    CVE-2019-0213: Apache Archiva Stored XSS Severity: Low Vendor:The Apache Software Foundation Version ...

  6. 奇葩问题:This file could not be checked in because the original version of the file on the server was moved or deleted. A new version of this file has been saved to the server, but your check-in comments were not saved

    "This file could not be checked in because the original version of the file on the server was m ...

  7. Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server'

    Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server' http://lindows.iteye.com/blog/456637 ht ...

  8. 重启Apache报错apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName ... waiting的解决方法

    启动apache提示 : apache2: Could not reliably determine the server's fully qualified domain name, using 1 ...

  9. 启动httpd服务:SSLCertificateFile: file '/var/www/miq/vmdb/certs/server.cer' does not exist or is empty

    启动httpd服务,失败: [root@test vmdb]# service httpd restart Stopping httpd: [FAILED] Starting httpd: Synta ...

随机推荐

  1. ES6深入浅出-2 新版函数:箭头函数 2 视频-1.视频 箭头函数

    ES3里面的写法 匿名函数是用不了的 还是需要给他赋值 选中的这一部分叫做匿名函数 等于号叫做赋值 let xxx叫做声明 所以说这个地方是三个语法,首先声明一个匿名函数,然后声明一个xxx变量,最后 ...

  2. QML渐变色

    Rectangle { id: tab_btn width: height: parent.height color: "black" gradient: Gradient { G ...

  3. 有关Linux

    关于nginx https://www.cnblogs.com/jingmoxukong/p/5945200.html 停止命令 sudo systemctl stop nginx.service

  4. CentOS7下搭建zabbix监控(一)——Zabbix监控端配置

    zabbix 是一个基于 WEB 界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案.zabbix 能监视各种网络参数,保证服务器系统的安全运营:并提供灵活的通知机制以让系统管理员快速定位 ...

  5. Maven 打war包

    使用maven将项目达成war包 右击项目的跟项目,选择run as 选择maven  build.... 进入窗口,在 Goals  输入命令   clean package,选择 skip Tes ...

  6. vs2015配置link.exe环境变量

    https://www.cnblogs.com/johnwii/p/4966086.html

  7. Java使用JDBC连接数据库逐条插入数据、批量插入数据、以及通过SQL语句批量导入数据的效率对比

    测试用的示例java代码: package com.zifeiy.test.normal; import java.io.File; import java.io.FileOutputStream; ...

  8. Docker从入门到动手实践

    一些理论知识,我这里就不累赘了 docker 入门资料,参考:https://yeasy.gitbooks.io/docker_practice/content/ Dockerfile常用命令,图片来 ...

  9. SMAP数据产品介绍与下载方法

    1 SMAP(Soil Moisture Active and Passive)数据介绍 SMAP baseline science data products在下面的表格中展示,这些数据产品可以从两 ...

  10. 性能测试loadrunner11工具再也不用担心浏览器兼容的问题了(目前试过的各版本浏览器都是成功的)

    工具:Loadrunner 11.0+Fiddler+浏览器(谷歌.火狐.IE等) 步骤一:查看抓包工具Fiddler对应的端口 1.打开Fiddler------工具------选项-----连接, ...