CVE-2024-27140

moderate-risk

Published 2024-03-01

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. Alternatively, you could configure a HTTP proxy in front of your Archiva instance to only forward requests that do not have malicious characters in the URL. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Do I need to act?

6.2% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Archiva

Affected Vendors

Apache

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2024/03/01/2

Mailing List https://lists.apache.org/thread/xrn6nt904ozh3jym60c3f5hj2fb75pjy

Mailing List http://www.openwall.com/lists/oss-security/2024/03/01/2

Mailing List https://lists.apache.org/thread/xrn6nt904ozh3jym60c3f5hj2fb75pjy

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 9/34 · Low

Exposure 5/34 · Minimal