CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27138 – Apache Archiva: disabling user registration is not effective
https://notcve.org/view.php?id=CVE-2024-27138
Incorrect Authorization vulnerability in Apache Archiva. Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Vulnerabilidad de autorización incorrecta en Apache Archiva. Apache Archiva tiene una configuración para deshabilitar el registro de usuarios; sin embargo, esta restricción se puede evitar. Como Apache Archiva ha sido retirado, no esperamos lanzar una versión de Apache Archiva que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/03/01/4 https://lists.apache.org/thread/070qcpclcb3sqk1hn8j5lvzohp30k1m2 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27139 – Apache Archiva: incorrect authentication potentially leading to account takeover
https://notcve.org/view.php?id=CVE-2024-27139
Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de autorización incorrecta en Apache Archiva: una vulnerabilidad en Apache Archiva permite que un atacante no autenticado modifique los datos de la cuenta, lo que podría llevar a la apropiación de la cuenta. Este problema afecta a Apache Archiva: desde 2.0.0. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/03/01/3 https://lists.apache.org/thread/qr8b7r86p1hkn0dc0q827s981kf1bgd8 • CWE-863: Incorrect Authorization •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27140 – Apache Archiva: reflected XSS
https://notcve.org/view.php?id=CVE-2024-27140
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. Alternatively, you could configure a HTTP proxy in front of your Archiva instance to only forward requests that do not have malicious characters in the URL. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Apache Archiva. Este problema afecta a Apache Archiva: desde 2.0.0. • http://www.openwall.com/lists/oss-security/2024/03/01/2 https://lists.apache.org/thread/xrn6nt904ozh3jym60c3f5hj2fb75pjy • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •