High severity8.0NVD Advisory· Published May 22, 2017· Updated May 13, 2026

CVE-2017-5657

Description

Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.archiva:archivaMaven	< 2.2.3	2.2.3

Affected products

Apache/Archiva
cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*
Range: <=2.2.1
Apache Software Foundation/Apache Archivav5
Range: 1.x

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

archiva.apache.org/security.htmlnvdPatchVendor AdvisoryWEB
www.securityfocus.com/bid/98570nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-hf4p-mhc8-x2gpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-5657ghsaADVISORY
lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3EghsaWEB
web.archive.org/web/20211206215453/https://securitytracker.com/id/1038528ghsaWEB
www.securitytracker.com/id/1038528nvd
lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3Envd

News mentions

No linked articles in our index yet.

cvss	0.520
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000