CVE-2024-27138

moderate-risk

Published 2024-03-01

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva. Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Do I need to act?

0.27% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Archiva

Affected Vendors

Apache

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2024/03/01/4

Mailing List https://lists.apache.org/thread/070qcpclcb3sqk1hn8j5lvzohp30k1m2

Mailing List http://www.openwall.com/lists/oss-security/2024/03/01/4

Mailing List https://lists.apache.org/thread/070qcpclcb3sqk1hn8j5lvzohp30k1m2

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal