{"api_version":"1","generated_at":"2026-04-22T17:44:18+00:00","cve":"CVE-2017-5657","urls":{"html":"https://cve.report/CVE-2017-5657","api":"https://cve.report/api/cve/CVE-2017-5657.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-5657","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-5657"},"summary":{"title":"CVE-2017-5657","description":"Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).","state":"PUBLIC","assigner":"security@apache.org","published_at":"2017-05-22 18:29:00","updated_at":"2023-11-07 02:49:00"},"problem_types":["CWE-352"],"metrics":[],"references":[{"url":"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E","name":"[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E","name":"[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1038528","name":"1038528","refsource":"SECTRACK","tags":[],"title":"Apache Archiva Access Control Flaw at Several REST Endpoints Lets Remote Users Conduct Cross-Site Request Forgery Attacks - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://archiva.apache.org/security.html#CVE-2017-5657","name":"http://archiva.apache.org/security.html#CVE-2017-5657","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"Archiva – Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/98570","name":"98570","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Archiva CVE-2017-5657 Multiple Cross-Site Request Forgery Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-5657","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-5657","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"5657","vulnerable":"1","versionEndIncluding":"2.2.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"archiva","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2017-5657","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Archiva","version":{"version_data":[{"version_value":"1.x"},{"version_value":"2.0.0, 2.0.1"},{"version_value":"2.1.0, 2.1.1"},{"version_value":"2.2.0, 2.2.1, 2.2.2"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights)."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Apache Archiva CSRF vulnerabilities for various REST endpoints"}]}]},"references":{"reference_data":[{"name":"http://archiva.apache.org/security.html#CVE-2017-5657","refsource":"CONFIRM","url":"http://archiva.apache.org/security.html#CVE-2017-5657"},{"name":"98570","refsource":"BID","url":"http://www.securityfocus.com/bid/98570"},{"name":"1038528","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1038528"},{"refsource":"MLIST","name":"[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1","url":"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E"}]}},"nvd":{"publishedDate":"2017-05-22 18:29:00","lastModifiedDate":"2023-11-07 02:49:00","problem_types":["CWE-352"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8,"baseSeverity":"HIGH"},"exploitabilityScore":2.1,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6},"severity":"MEDIUM","exploitabilityScore":6.8,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*","versionEndIncluding":"2.2.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"5657","Ordinal":"102236","Title":"CVE-2017-5657","CVE":"CVE-2017-5657","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"5657","Ordinal":"1","NoteData":"Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).","Type":"Description","Title":null},{"CveYear":"2017","CveId":"5657","Ordinal":"2","NoteData":"2017-05-22","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"5657","Ordinal":"3","NoteData":"2019-04-16","Type":"Other","Title":"Modified"}]}}}