The current stable release of Apache Archiva (1.3.6) has a serious, known security flaw: http://cxsecurity.com/issue/WLB-2014010087. I've reported this to Apache security and to the Archiva mailing lists. If you are running Archiva as a privileged user, this would allow the remote attacker to gain access to your entire machine.
This is apparently a downstream security flaw resulting from the use of an older version of Struts: http://struts.apache.org/release/2.3.x/docs/s2-016.html.
This is apparently a downstream security flaw resulting from the use of an older version of Struts: http://struts.apache.org/release/2.3.x/docs/s2-016.html.