{"api_version":"1","generated_at":"2026-04-22T17:45:26+00:00","cve":"CVE-2019-0214","urls":{"html":"https://cve.report/CVE-2019-0214","api":"https://cve.report/api/cve/CVE-2019-0214.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-0214","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-0214"},"summary":{"title":"CVE-2019-0214","description":"In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2019-04-30 22:29:00","updated_at":"2023-11-07 03:01:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda%40%3Cusers.archiva.apache.org%3E","name":"[archiva-users] 20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E","name":"[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0","refsource":"MLIST","tags":["Third Party Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/108124","name":"108124","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Archiva CVE-2019-0214 Arbitrary File Write Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8%40%3Cannounce.apache.org%3E","name":"[announce] 20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e@%3Cusers.maven.apache.org%3E","name":"[maven-users] 20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","refsource":"MLIST","tags":["Mailing List","Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda@%3Cusers.archiva.apache.org%3E","name":"[archiva-users] 20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","refsource":"MLIST","tags":["Mailing List","Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2019/04/30/8","name":"[oss-security] 20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8@%3Cannounce.apache.org%3E","name":"[announce] 20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","refsource":"MLIST","tags":["Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://seclists.org/bugtraq/2019/Apr/48","name":"20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","refsource":"BUGTRAQ","tags":["Mailing List","Third Party Advisory"],"title":"Bugtraq: [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://archiva.apache.org/security.html#CVE-2019-0214","name":"http://archiva.apache.org/security.html#CVE-2019-0214","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Archiva – Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e%40%3Cusers.maven.apache.org%3E","name":"[maven-users] 20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E","name":"[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html","name":"http://packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html","refsource":"MISC","tags":["Mitigation","Third Party Advisory","VDB Entry"],"title":"Apache Archiva 2.2.3 File Write / Delete ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-0214","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-0214","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"214","vulnerable":"1","versionEndIncluding":"1.3.9","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"archiva","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"214","vulnerable":"1","versionEndIncluding":"2.2.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"archiva","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-0214","qid":"981974","title":"Java (maven) Security Update for org.apache.archiva:archiva (GHSA-jxgm-9f58-w4xp)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-0214","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache","product":{"product_data":[{"product_name":"Apache Archiva","version":{"version_data":[{"version_value":"All versions prior to version 2.2.4"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Arbitrary write/delete of files on the archiva server"}]}]},"references":{"reference_data":[{"refsource":"MLIST","name":"[maven-users] 20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","url":"https://lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e@%3Cusers.maven.apache.org%3E"},{"refsource":"MLIST","name":"[archiva-users] 20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","url":"https://lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda@%3Cusers.archiva.apache.org%3E"},{"refsource":"BUGTRAQ","name":"20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","url":"https://seclists.org/bugtraq/2019/Apr/48"},{"refsource":"MLIST","name":"[oss-security] 20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","url":"http://www.openwall.com/lists/oss-security/2019/04/30/8"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html","url":"http://packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html"},{"refsource":"CONFIRM","name":"http://archiva.apache.org/security.html#CVE-2019-0214","url":"http://archiva.apache.org/security.html#CVE-2019-0214"},{"refsource":"MLIST","name":"[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0","url":"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E"},{"refsource":"BID","name":"108124","url":"http://www.securityfocus.com/bid/108124"},{"refsource":"MLIST","name":"[announce] 20190430 [SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server","url":"https://lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8@%3Cannounce.apache.org%3E"}]},"description":{"description_data":[{"lang":"eng","value":"In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file."}]}},"nvd":{"publishedDate":"2019-04-30 22:29:00","lastModifiedDate":"2023-11-07 03:01:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":5.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndIncluding":"2.2.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*","versionStartIncluding":"1.2","versionEndIncluding":"1.3.9","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"214","Ordinal":"136334","Title":"CVE-2019-0214","CVE":"CVE-2019-0214","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"214","Ordinal":"1","NoteData":"In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"214","Ordinal":"2","NoteData":"2019-04-30","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"214","Ordinal":"3","NoteData":"2019-05-02","Type":"Other","Title":"Modified"}]}}}