CVE-2019-0213 (GCVE-0-2019-0213)
Vulnerability from cvelistv5
Published
2019-04-30 21:35
Modified
2024-08-04 17:44
Severity ?
CWE
  • Stored XSS
Summary
In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.
References
security@apache.org http://archiva.apache.org/security.html#CVE-2019-0213 Vendor Advisory
security@apache.org http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html Third Party Advisory, VDB Entry
security@apache.org http://www.openwall.com/lists/oss-security/2019/04/30/7 Mailing List, Third Party Advisory
security@apache.org http://www.securityfocus.com/bid/108123 Third Party Advisory, VDB Entry
security@apache.org https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E
security@apache.org https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E
security@apache.org https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E
security@apache.org https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E
security@apache.org https://seclists.org/bugtraq/2019/Apr/47 Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 http://archiva.apache.org/security.html#CVE-2019-0213 Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2019/04/30/7 Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 http://www.securityfocus.com/bid/108123 Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108 https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108 https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108 https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108 https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108 https://seclists.org/bugtraq/2019/Apr/47 Mailing List, Third Party Advisory
Impacted products
Vendor Product Version
Apache Apache Archiva Version: All versions prior to version 2.2.4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T17:44:14.810Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Apr/47"
          },
          {
            "name": "[maven-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E"
          },
          {
            "name": "[archiva-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E"
          },
          {
            "name": "[oss-security] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/04/30/7"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://archiva.apache.org/security.html#CVE-2019-0213"
          },
          {
            "name": "[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E"
          },
          {
            "name": "108123",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108123"
          },
          {
            "name": "[announce] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Archiva",
          "vendor": "Apache",
          "versions": [
            {
              "status": "affected",
              "version": "All versions prior to version 2.2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Stored XSS",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-06T19:58:29",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Apr/47"
        },
        {
          "name": "[maven-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E"
        },
        {
          "name": "[archiva-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E"
        },
        {
          "name": "[oss-security] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/04/30/7"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://archiva.apache.org/security.html#CVE-2019-0213"
        },
        {
          "name": "[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E"
        },
        {
          "name": "108123",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108123"
        },
        {
          "name": "[announce] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-0213",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Archiva",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions prior to version 2.2.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Stored XSS"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Apr/47"
            },
            {
              "name": "[maven-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97@%3Cusers.maven.apache.org%3E"
            },
            {
              "name": "[archiva-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3@%3Cusers.archiva.apache.org%3E"
            },
            {
              "name": "[oss-security] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/04/30/7"
            },
            {
              "name": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"
            },
            {
              "name": "http://archiva.apache.org/security.html#CVE-2019-0213",
              "refsource": "MISC",
              "url": "http://archiva.apache.org/security.html#CVE-2019-0213"
            },
            {
              "name": "[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E"
            },
            {
              "name": "108123",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108123"
            },
            {
              "name": "[announce] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d@%3Cannounce.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2019-0213",
    "datePublished": "2019-04-30T21:35:47",
    "dateReserved": "2018-11-14T00:00:00",
    "dateUpdated": "2024-08-04T17:44:14.810Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-0213\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2019-04-30T22:29:00.793\",\"lastModified\":\"2024-11-21T04:16:30.047\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.\"},{\"lang\":\"es\",\"value\":\"En Apache Archiva anterior a versi\u00f3n 2.2.4, puede ser posible almacenar c\u00f3digo XSS malicioso en entradas de configuraci\u00f3n central, es decir, la URL logo. La vulnerabilidad es considerada un riesgo menor, ya que solo los usuarios con rol de administrador pueden cambiar la configuraci\u00f3n, o la comunicaci\u00f3n entre el navegador y el servidor Archiva debe verse comprometida.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:P\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.2.4\",\"matchCriteriaId\":\"6AB5FF1B-F9F2-458C-BFE7-BA144AE1CAF2\"}]}]}],\"references\":[{\"url\":\"http://archiva.apache.org/security.html#CVE-2019-0213\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/04/30/7\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/108123\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://seclists.org/bugtraq/2019/Apr/47\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://archiva.apache.org/security.html#CVE-2019-0213\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/04/30/7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/108123\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/bugtraq/2019/Apr/47\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.