You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@continuum.apache.org by "Brett Porter (JIRA)" <ji...@codehaus.org> on 2011/02/01 12:49:22 UTC
[jira] Moved: (CONTINUUM-2603) CSRF vulnerability - Continuum
doesn't check which form sends credentials
[ http://jira.codehaus.org/browse/CONTINUUM-2603?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter moved MRM-1454 to CONTINUUM-2603:
----------------------------------------------
Complexity: Intermediate
Component/s: (was: Users/Security)
Security
Fix Version/s: (was: 1.3.2)
1.4.1 (Beta)
1.3.7
Key: CONTINUUM-2603 (was: MRM-1454)
Project: Continuum (was: Archiva)
> CSRF vulnerability - Continuum doesn't check which form sends credentials
> -------------------------------------------------------------------------
>
> Key: CONTINUUM-2603
> URL: http://jira.codehaus.org/browse/CONTINUUM-2603
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assignee: Maria Odea Ching
> Priority: Critical
> Fix For: 1.3.7, 1.4.1 (Beta)
>
>
> As reported by Anatolia Security Research Group, Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force archiva administrators to view it and change their credentials.
> Vulnerability reference key: [CVE-2010-3449] Apache Archiva CSRF Vulnerability
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira