CVE-2019-0214
Description
In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Archiva 2.0.0–2.2.3 allows arbitrary file write via artifact upload, enabling overwrite of existing files if file system permissions allow.
Vulnerability
CVE-2019-0214 is a critical vulnerability in Apache Archiva versions 2.0.0 through 2.2.3. The artifact upload mechanism lacks proper validation of file paths, allowing an attacker to write files to arbitrary locations on the server. This flaw can also be used to overwrite existing files, provided the Archiva run user has the necessary file system permissions [1][4].
Exploitation
No authentication is required to exploit this vulnerability; any user capable of uploading artifacts can leverage it. By crafting a malicious artifact with a path traversal payload, the attacker can direct the file write to any directory the Archiva service account can write to. This may include configuration directories, application binaries, or any other sensitive location [1][3].
Impact
Successful exploitation grants an attacker the ability to overwrite critical files, potentially leading to remote code execution (e.g., by overwriting JSP files or configuration), privilege escalation, or denial of service. The impact is limited only by the file system permissions of the Archiva process [1][4].
Mitigation
The Apache Archiva project has addressed this vulnerability in version 2.2.4, which introduces additional validation to prevent malicious parameter values. Users are strongly advised to upgrade immediately. No workaround is available other than upgrading [3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.archiva:archivaMaven | >= 2.2.0, < 2.2.4 | 2.2.4 |
Affected products
2- Apache/Apache Archivav5Range: All versions prior to version 2.2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- github.com/advisories/GHSA-jxgm-9f58-w4xpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0214ghsaADVISORY
- archiva.apache.org/security.htmlghsax_refsource_CONFIRMWEB
- packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.htmlghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2019/04/30/8ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/108124ghsavdb-entryx_refsource_BIDWEB
- lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e%40%3Cusers.maven.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e@%3Cusers.maven.apache.org%3EghsaWEB
- lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda%40%3Cusers.archiva.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda@%3Cusers.archiva.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3EghsaWEB
- seclists.org/bugtraq/2019/Apr/48ghsamailing-listx_refsource_BUGTRAQWEB
News mentions
0No linked articles in our index yet.