fkie_nvd - fkie_cve-2010-4408

fkie_cve-2010-4408

Vulnerability from fkie_nvd

Published

2010-12-06 20:13

Modified

2025-04-11 00:51

Severity ?

Summary

Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator's password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449.

References

▶	URL	Tags
	cve@mitre.org	http://archiva.apache.org/security.html
	cve@mitre.org	http://mail-archives.apache.org/mod_mbox/archiva-users/201011.mbox/ajax/%3CAANLkTimXejHAuXdoUKLN=GkNty1_XnRCbv0YA0T2cS_2%40mail.gmail.com%3E
	cve@mitre.org	http://www.securityfocus.com/archive/1/514937/100/0/threaded
	af854a3a-2127-422b-91ae-364da2661108	http://archiva.apache.org/security.html
	af854a3a-2127-422b-91ae-364da2661108	http://mail-archives.apache.org/mod_mbox/archiva-users/201011.mbox/ajax/%3CAANLkTimXejHAuXdoUKLN=GkNty1_XnRCbv0YA0T2cS_2%40mail.gmail.com%3E
	af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/514937/100/0/threaded

Impacted products

Vendor	Product	Version
apache	archiva	1.0
apache	archiva	1.0.1
apache	archiva	1.0.2
apache	archiva	1.0.3
apache	archiva	1.1
apache	archiva	1.1.1
apache	archiva	1.1.2
apache	archiva	1.1.3
apache	archiva	1.1.4
apache	archiva	1.2
apache	archiva	1.2.1
apache	archiva	1.2.2
apache	archiva	1.3
apache	archiva	1.3.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DFD6FB90-E505-48D6-B9D1-3E8DD3A47234",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "21DF9796-959A-4566-8AEF-16ABD8E36444",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "08C7B72C-957A-44FA-BABA-03A7E4CEF36A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CFEDC8F-0FE0-4E69-8F6F-BD49AB46D8CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6FF7D312-B1C1-400B-AF0C-7375B1B3F0E0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "31357E13-6571-4FE9-A5E0-2CACE0423C2B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "ED2E53F7-845B-4077-9AC9-EAAE60ADC75A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF420D40-A4BE-4B74-9457-01E1FFF9D9A0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1389E21-2451-45FF-97C3-87B58A496E64",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC7E1832-3889-477D-9DA4-869B6867EBC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F945FF3A-483C-4CD5-A413-0C354C15A99F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCCF9A1C-7091-4D72-8AFC-5373F45FF7D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "0D1D107D-C022-43B4-BA64-0D39F31EE226",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:archiva:1.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F26131F0-693E-4245-9DC1-645B0EACD0D8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator\u0027s password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449."
    },
    {
      "lang": "es",
      "value": "Apache Archiva 1.0 hasta la versi\u00f3n 1.0.3, 1.1 hasta la 1.1.4, 1.2 hasta la 1.2.2, y 1.3 hasta la 1.3.1 no requiere la entrada de la contrase\u00f1a de administrador al modificar una cuenta de usuario, lo que facilita a atacantes dependientes del contexto escalar privilegios a trav\u00e9s de (1) equipos desatentidos o (2) una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF). Un asunto relacionado con CVE-2010-3449."
    }
  ],
  "id": "CVE-2010-4408",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2010-12-06T20:13:00.560",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://archiva.apache.org/security.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://mail-archives.apache.org/mod_mbox/archiva-users/201011.mbox/ajax/%3CAANLkTimXejHAuXdoUKLN=GkNty1_XnRCbv0YA0T2cS_2%40mail.gmail.com%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/514937/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://archiva.apache.org/security.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://mail-archives.apache.org/mod_mbox/archiva-users/201011.mbox/ajax/%3CAANLkTimXejHAuXdoUKLN=GkNty1_XnRCbv0YA0T2cS_2%40mail.gmail.com%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/514937/100/0/threaded"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2010-4408 (GCVE-0-2010-4408)

Vulnerability from cvelistv5

Published

2010-12-06 20:00