Apache Archiva Arbitrary user password reset vulnerability
Description
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Archiva, any registered user can reset the password of any other user, fixed in version 2.2.8.
Vulnerability
In Apache Archiva, versions prior to 2.2.8, any registered user can reset the password for any other user without proper authorization checks. This is a privilege escalation vulnerability that affects all users of the system. [1]
Exploitation
An attacker needs a valid registered account in Archiva. Using that account, they can navigate to the password reset functionality and specify the username of any target user (including administrators). The system processes the reset request without verifying that the requester has the right to change that user's password. [1][2]
Impact
Successful exploitation allows the attacker to reset the password of any user, leading to full account takeover. This can result in unauthorized access to sensitive data, repository management, and administrative controls, compromising the entire Archiva instance. [1][2]
Mitigation
The vulnerability is fixed in Apache Archiva 2.2.8, released on 2022-05-25. Users should upgrade to this version immediately. No workarounds are available for earlier versions. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.archiva:archivaMaven | < 2.2.8 | 2.2.8 |
Affected products
2- Apache Software Foundation/Apache Archivav5Range: 2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-5hqc-x78w-3cmwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29405ghsaADVISORY
- archiva.apache.org/docs/2.2.8/release-notes.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.