You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@archiva.apache.org by Brett Porter <br...@apache.org> on 2013/01/11 04:44:50 UTC

[SECURITY] CVE-2010-1870 Apache Archiva affected by Struts2 remote commands execution

CVE-2010-1870 Apache Archiva affected by Struts2 remote commands execution

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Archiva 1.3 to Continuum 1.3.5
- The unsupported versions Archiva 1.2 to 1.2.2 are also affected.

Description:
Apache Archiva is affected by a vulnerability in the version of the
Struts library being used, which allows a malicious user to run code on the
server remotely. More details about the vulnerability can be found at
http://struts.apache.org/2.2.1/docs/s2-005.html.

Mitigation:
All users of affected versions are recommended to upgrade to Archiva 1.3.6, which configures
Struts in such a way that it is not affected by this issue.

References:
http://archiva.apache.org/security.html


--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter
http://twitter.com/brettporter