Thursday, February 13, 2014

Security Flaw with Apache Archiva 1.3.6

The current stable release of Apache Archiva (1.3.6) has a serious, known security flaw: I've reported this to Apache security and to the Archiva mailing lists.  If you are running Archiva as a privileged user, this would allow the remote attacker to gain access to your entire machine.

This is apparently a downstream security flaw resulting from the use of an older version of Struts: