CVE-2022-40308: Apache Archiva vulnerable to Sensitive Information Disclosure via anonymous user

November 15, 2022 (updated November 29, 2022)

If anonymous read enabled, it’s possible to read the database file directly without logging in.

References

www.openwall.com/lists/oss-security/2022/11/15/2
archiva.apache.org/security.html
github.com/advisories/GHSA-463w-hxfv-g9f6
lists.apache.org/thread/x01pnn0jjsw512cscxsbxzrjmz64n4cc
nvd.nist.gov/vuln/detail/CVE-2022-40308

Detect and mitigate CVE-2022-40308 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →