{"api_version":"1","generated_at":"2026-04-22T17:46:02+00:00","cve":"CVE-2019-0213","urls":{"html":"https://cve.report/CVE-2019-0213","api":"https://cve.report/api/cve/CVE-2019-0213.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-0213","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-0213"},"summary":{"title":"CVE-2019-0213","description":"In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2019-04-30 22:29:00","updated_at":"2023-11-07 03:01:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E","name":"[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0","refsource":"MLIST","tags":["Third Party Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2019/04/30/7","name":"[oss-security] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E","name":"[announce] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E","name":"[archiva-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html","name":"http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html","refsource":"MISC","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Archiva 2.2.3 Cross Site Scripting ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d@%3Cannounce.apache.org%3E","name":"[announce] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","refsource":"MLIST","tags":["Mailing List","Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://archiva.apache.org/security.html#CVE-2019-0213","name":"http://archiva.apache.org/security.html#CVE-2019-0213","refsource":"MISC","tags":["Vendor Advisory"],"title":"Archiva – Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E","name":"[maven-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3@%3Cusers.archiva.apache.org%3E","name":"[archiva-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","refsource":"MLIST","tags":["Mailing List","Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E","name":"[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97@%3Cusers.maven.apache.org%3E","name":"[maven-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","refsource":"MLIST","tags":["Mailing List","Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://seclists.org/bugtraq/2019/Apr/47","name":"20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","refsource":"BUGTRAQ","tags":["Mailing List","Third Party Advisory"],"title":"Bugtraq: [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/108123","name":"108123","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Archiva CVE-2019-0213 HTML Injection Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-0213","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-0213","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"213","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"archiva","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"213","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"archiva","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-0213","qid":"983479","title":"Java (maven) Security Update for org.apache.archiva:archiva (GHSA-cqcf-4g4h-rghf)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-0213","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache","product":{"product_data":[{"product_name":"Apache Archiva","version":{"version_data":[{"version_value":"All versions prior to version 2.2.4"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Stored XSS"}]}]},"references":{"reference_data":[{"refsource":"BUGTRAQ","name":"20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","url":"https://seclists.org/bugtraq/2019/Apr/47"},{"refsource":"MLIST","name":"[maven-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","url":"https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97@%3Cusers.maven.apache.org%3E"},{"refsource":"MLIST","name":"[archiva-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","url":"https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3@%3Cusers.archiva.apache.org%3E"},{"refsource":"MLIST","name":"[oss-security] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","url":"http://www.openwall.com/lists/oss-security/2019/04/30/7"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html","url":"http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"},{"refsource":"MISC","name":"http://archiva.apache.org/security.html#CVE-2019-0213","url":"http://archiva.apache.org/security.html#CVE-2019-0213"},{"refsource":"MLIST","name":"[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0","url":"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E"},{"refsource":"BID","name":"108123","url":"http://www.securityfocus.com/bid/108123"},{"refsource":"MLIST","name":"[announce] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS","url":"https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d@%3Cannounce.apache.org%3E"}]},"description":{"description_data":[{"lang":"eng","value":"In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised."}]}},"nvd":{"publishedDate":"2019-04-30 22:29:00","lastModifiedDate":"2023-11-07 03:01:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":5.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*","versionEndExcluding":"2.2.4","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"213","Ordinal":"136333","Title":"CVE-2019-0213","CVE":"CVE-2019-0213","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"213","Ordinal":"1","NoteData":"In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"213","Ordinal":"2","NoteData":"2019-04-30","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"213","Ordinal":"3","NoteData":"2019-05-06","Type":"Other","Title":"Modified"}]}}}