oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-27138: Apache Archiva: disabling user registration is not effective

From: Arnout Engelen <engelen () apache org>
Date: Fri, 01 Mar 2024 10:44:35 +0000
Severity: moderate

Affected versions:

- Apache Archiva 2.0.0 or later

Description:

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva.

Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva 
has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to 
look into migrating to a different solution, or isolate your instance from any untrusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Credit:

Florian Hauser, @frycos (reporter)

References:

https://archiva.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-27138
Previous By Date Next
Previous By Thread Next

Current thread: