5
CVSSv2

CVE-2020-9495

Published: 19/06/2020 Updated: 24/06/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

Apache Archiva login service prior to 2.2.5 is vulnerable to LDAP injection. A attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to the login form. With certain characters it is possible to modify the LDAP filter used to query the LDAP users. By measuring the response time for the login request, arbitrary attribute data can be retrieved from LDAP user objects.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheArchiva0.9, 1.0, 1.0.1, 1.0.2, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2, 1.2.1, 1.2.2, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.8, 1.3.9, 1.4, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4

Mailing Lists

CVE-2020-9495: Apache Archiva login service is vulnerable to LDAP injection Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Archiva all versions before 225 By providing special values to the archiva login form a attacker is able to retrieve user attribute data from the connected LDAP server With certa ...

Github Repositories

master 1 branch 0 tags Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit ggolawski Initial commit … 2a89a26 3 minutes ago Initial commit 2a89a26 Git stats 1 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time README.md Initial commit 3 minutes ago View code README.md CVE-2020-9495 About No description, website, or topics provided. Resources Readme Releases No releases published

A docker image for Apache Archiva