Thursday, February 13, 2014

Security Flaw with Apache Archiva 1.3.6

The current stable release of Apache Archiva (1.3.6) has a serious, known security flaw: http://cxsecurity.com/issue/WLB-2014010087. I've reported this to Apache security and to the Archiva mailing lists.  If you are running Archiva as a privileged user, this would allow the remote attacker to gain access to your entire machine.

This is apparently a downstream security flaw resulting from the use of an older version of Struts: http://struts.apache.org/release/2.3.x/docs/s2-016.html