CVE-2022-40308 – org.apache.archiva:archiva-common

Package

Manager: maven
Name: org.apache.archiva:archiva-common
Vulnerable Version: >=0 <2.2.9

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0027 pctl0.50236

Details

Apache Archiva vulnerable to Sensitive Information Disclosure via anonymous user Apache Archiva prior to 2.2.9 may allow the anonymous user to read arbitrary files. If anonymous read enabled, it's possible to read the database file directly without logging in.

Metadata

Created: 2022-11-15T19:00:52Z
Modified: 2022-11-22T00:17:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-463w-hxfv-g9f6/GHSA-463w-hxfv-g9f6.json
CWE IDs: ["CWE-200", "CWE-862"]
Alternative ID: GHSA-463w-hxfv-g9f6
Finding: F308
Auto approve: 1