CVE-2019-0214

In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
apachearchiva
1.2 ≤
𝑥
≤ 1.3.9
apachearchiva
2.0.0 ≤
𝑥
≤ 2.2.3
𝑥
= Vulnerable software versions
References
http://archiva.apache.org/security.html#CVE-2019-0214
http://packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html
http://www.openwall.com/lists/oss-security/2019/04/30/8
http://www.securityfocus.com/bid/108124
https://lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e%40%3Cusers.maven.apache.org%3E
https://lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda%40%3Cusers.archiva.apache.org%3E
https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E
https://seclists.org/bugtraq/2019/Apr/48
http://archiva.apache.org/security.html#CVE-2019-0214
http://packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html
http://www.openwall.com/lists/oss-security/2019/04/30/8
http://www.securityfocus.com/bid/108124
https://lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e%40%3Cusers.maven.apache.org%3E
https://lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda%40%3Cusers.archiva.apache.org%3E
https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E
https://seclists.org/bugtraq/2019/Apr/48