Apache Archiva: CSRF Vulnerability 

Users of Apache Archiva please be advised of a CSRF vulnerability that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

CVE-2010-3449: Apache Archiva CSRF Vulnerability
Description:
Apache Archiva doesn’t check which form sends credentials. An attacker
can create a specially crafted page and force archiva administrators
to view it and change their credentials. To fix this, a referrer check
was added to the security interceptor for all secured actions. A
prompt for the administrator’s password when changing a user account
was also set in place.

Read more at http://www.criticalwatch.com

 

Advertisements