www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <br...@apache.org>
Subject [SECURITY] CVE-2010-1870 Apache Archiva affected by Struts2 remote commands execution
Date Fri, 11 Jan 2013 03:45:20 GMT
CVE-2010-1870 Apache Archiva affected by Struts2 remote commands execution

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Archiva 1.3 to Continuum 1.3.5
- The unsupported versions Archiva 1.2 to 1.2.2 are also affected.

Description:
Apache Archiva is affected by a vulnerability in the version of the
Struts library being used, which allows a malicious user to run code on the
server remotely. More details about the vulnerability can be found at
http://struts.apache.org/2.2.1/docs/s2-005.html.

Mitigation:
All users of affected versions are recommended to upgrade to Archiva 1.3.6, which configures
Struts in such a way that it is not affected by this issue.

References:
http://archiva.apache.org/security.html


--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter
http://twitter.com/brettporter






Mime
View raw message