=====================================================================

                                CERT-Renater

                    Note d'Information No. 2022/VULN426

_____________________________________________________________________

DATE                : 17/11/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Archiva versions prior
                                      to 2.2.9.

=====================================================================
https://lists.apache.org/thread/x01pnn0jjsw512cscxsbxzrjmz64n4cc
https://lists.apache.org/thread/1odl4p85r96n27k577jk6ftrp19xfc27
_____________________________________________________________________

CVE-2022-40308: Apache Archiva prior to 2.2.9 may allow the anonymous
user to read arbitrary files
Description:

If anonymous read enabled, it's possible to read the database file
directly without logging in.


Credit:

Thanks to L3yx of Syclover Security Team

_____________________________________________________________________

CVE-2022-40309: Apache Archiva prior to 2.2.9 allows an
authenticated user to delete arbitrary directories

Description:

Users with write permissions to a repository can delete arbitrary
directories.


Credit:

Thanks to L3yx of Syclover Security Team


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================