CVE-2010-4408 — Apache Archiva does not require entry of the administrator's password at the tim

Description

Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator's password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449.

How to fix CVE-2010-4408

To remediate CVE-2010-4408, upgrade the affected package to a fixed version below.

—upgrade to 1.3.2 or later

Is CVE-2010-4408 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.0, < 1.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2010-4408
PATCHgithub.com/apache/archiva
WEBarchiva.apache.org/security.html
WEBmail-archives.apache.org/mod_mbox/archiva-users/201011.mbox/ajax/%3CAANLkTimXejHAuXdoUKLN=GkNty1_XnRCbv0YA0T2cS_2%40mail.gmail.com%3E