CVE-2010-4408: Apache Archiva does not require entry of the administrator's password at the time of modifying a user account

May 14, 2022 (updated April 12, 2025)

Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator’s password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449.

References

github.com/advisories/GHSA-5p54-jj38-3hxj
github.com/apache/archiva
nvd.nist.gov/vuln/detail/CVE-2010-4408
web.archive.org/web/20201209001124/http://www.securityfocus.com/archive/1/514937/100/0/threaded

Code Behaviors & Features

Detect and mitigate CVE-2010-4408 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →