High severityNVD Advisory· Published Nov 15, 2022· Updated Apr 30, 2025
Apache Archiva prior to 2.2.9 may allow the anonymous user to read arbitrary files
CVE-2022-40308
Description
Apache Archiva prior to 2.2.9 allows unauthenticated reading of the database file when anonymous read is enabled, exposing sensitive data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Archiva prior to 2.2.9 allows unauthenticated reading of the database file when anonymous read is enabled, exposing sensitive data.
Vulnerability
Overview
CVE-2022-40308 affects Apache Archiva versions prior to 2.2.9. When the anonymous read feature is enabled, the application fails to enforce authentication for direct access to the database file. This allows any unauthenticated user to retrieve the database file simply by requesting it, bypassing the login mechanism entirely [1][4].
Exploitation
Conditions
Exploitation requires that the anonymous read setting is enabled in the Archiva configuration. No authentication or special network position is needed; an attacker only needs to know the path to the database file. The vulnerability can be triggered by a direct HTTP request to the database file location, without any prior interaction [4].
Impact
Successful exploitation leads to exposure of the entire database contents, which may include user credentials, repository metadata, and other sensitive information stored by Archiva. This could facilitate further attacks such as privilege escalation or data exfiltration [1][4].
Mitigation
Apache has addressed this issue in Archiva 2.2.9. Users are strongly advised to upgrade to this version or later. There is no workaround other than disabling anonymous read if upgrade is not immediately possible, though this may impact functionality [1][4].
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.archiva:archiva-commonMaven | < 2.2.9 | 2.2.9 |
Affected products
2Patches
1f8e7fc29cff8[maven-release-plugin] prepare release archiva-2.2.9
69 files changed · +69 −69
archiva-cli/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-cli</artifactId>
archiva-docs/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-docs</artifactId>
archiva-jetty/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-jetty</artifactId> <packaging>pom</packaging>
archiva-modules/archiva-base/archiva-checksum/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-checksum</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-common/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-common</artifactId>
archiva-modules/archiva-base/archiva-configuration/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-configuration</artifactId>
archiva-modules/archiva-base/archiva-consumers/archiva-consumer-api/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-consumers</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-consumer-api</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-consumers/archiva-consumer-archetype/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-consumers</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-consumer-archetype</artifactId> <packaging>maven-archetype</packaging>
archiva-modules/archiva-base/archiva-consumers/archiva-core-consumers/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-consumers</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-core-consumers</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-consumers/archiva-lucene-consumers/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-consumers</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-lucene-consumers</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-consumers/archiva-metadata-consumer/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <artifactId>archiva-consumers</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-metadata-consumer</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-consumers/archiva-signature-consumers/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-consumers</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-signature-consumers</artifactId>
archiva-modules/archiva-base/archiva-consumers/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-consumers</artifactId>
archiva-modules/archiva-base/archiva-converter/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-converter</artifactId>
archiva-modules/archiva-base/archiva-filelock/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-filelock</artifactId>
archiva-modules/archiva-base/archiva-indexer/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-indexer</artifactId>
archiva-modules/archiva-base/archiva-maven2-metadata/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-maven2-metadata</artifactId>
archiva-modules/archiva-base/archiva-maven2-model/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-maven2-model</artifactId>
archiva-modules/archiva-base/archiva-mock/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-mock</artifactId>
archiva-modules/archiva-base/archiva-model/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-model</artifactId>
archiva-modules/archiva-base/archiva-plexus-bridge/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-plexus-bridge</artifactId>
archiva-modules/archiva-base/archiva-policies/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-policies</artifactId>
archiva-modules/archiva-base/archiva-proxy-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-base</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-proxy-api</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-proxy-common/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-base</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-proxy-common</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-proxy/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-proxy</artifactId>
archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-api/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-repository-admin</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-repository-admin-api</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-repository-admin</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-repository-admin-default</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-repository-admin/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-repository-admin</artifactId> <name>Archiva Base :: Repository Admin</name>
archiva-modules/archiva-base/archiva-repository-layer/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-repository-layer</artifactId>
archiva-modules/archiva-base/archiva-repository-scanner/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <artifactId>archiva-base</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-repository-scanner</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-security-common/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-base</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-security-common</artifactId>
archiva-modules/archiva-base/archiva-test-utils/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-base</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-test-utils</artifactId>
archiva-modules/archiva-base/archiva-transaction/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-transaction</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-xml-tools/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-xml-tools</artifactId>
archiva-modules/archiva-base/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-modules</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-base</artifactId>
archiva-modules/archiva-karaf/archiva-features/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-karaf</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <groupId>org.apache.archiva.karaf</groupId>
archiva-modules/archiva-karaf/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-modules</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-karaf</artifactId>
archiva-modules/archiva-scheduler/archiva-scheduler-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-scheduler</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-scheduler-api</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-scheduler/archiva-scheduler-indexing/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-scheduler</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-scheduler-indexing</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-scheduler/archiva-scheduler-repository-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-scheduler</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-scheduler-repository-api</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-scheduler/archiva-scheduler-repository/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-scheduler</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-scheduler-repository</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-scheduler/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-modules</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-scheduler</artifactId>
archiva-modules/archiva-web/archiva-rest/archiva-rest-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-rest</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-rest-api</artifactId> <!-- DO NOT USE bundle packaging generated documentation is not included in the jar !!! -->
archiva-modules/archiva-web/archiva-rest/archiva-rest-services/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-rest</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-rest-services</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-web/archiva-rest/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-rest</artifactId> <name>Archiva Web :: REST support</name>
archiva-modules/archiva-web/archiva-rss/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-web</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-rss</artifactId>
archiva-modules/archiva-web/archiva-security/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-security</artifactId>
archiva-modules/archiva-web/archiva-test-mocks/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-test-mocks</artifactId>
archiva-modules/archiva-web/archiva-webapp/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-webapp</artifactId> <packaging>war</packaging>
archiva-modules/archiva-web/archiva-web-common/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-web-common</artifactId>
archiva-modules/archiva-web/archiva-webdav/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-webdav</artifactId>
archiva-modules/archiva-web/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-modules</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-web</artifactId>
archiva-modules/metadata/metadata-model-maven2/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>metadata</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-model-maven2</artifactId> <packaging>bundle</packaging>
archiva-modules/metadata/metadata-model/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>metadata</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-model</artifactId> <packaging>bundle</packaging>
archiva-modules/metadata/metadata-repository-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>metadata</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-repository-api</artifactId> <packaging>bundle</packaging>
archiva-modules/metadata/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-modules</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata</artifactId> <name>Archiva :: Metadata</name>
archiva-modules/metadata/test-repository/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>metadata</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>test-repository</artifactId> <name>Archiva Metadata :: Repository for Testing</name>
archiva-modules/plugins/audit/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>audit</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/generic-metadata-support/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>generic-metadata-support</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/maven2-repository/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>plugins</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>maven2-repository</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/metadata-store-cassandra/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-store-cassandra</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/metadata-store-file/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-store-file</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/metadata-store-jcr/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-store-jcr</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-modules</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>plugins</artifactId> <name>Archiva :: Core Plugins</name>
archiva-modules/plugins/problem-reports/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>problem-reports</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/repository-statistics/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>repository-statistics</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/stage-repository-merge/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <groupId>org.apache.archiva</groupId> <artifactId>stage-repository-merge</artifactId>
archiva-modules/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <artifactId>archiva</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-modules</artifactId>
pom.xml+1 −1 modified@@ -27,7 +27,7 @@ </parent> <artifactId>archiva</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> <packaging>pom</packaging> <name>Apache Archiva</name>
Vulnerability mechanics
Root cause
"Missing access control on the database file endpoint allows unauthenticated read when anonymous read is enabled."
Attack vector
When anonymous read is enabled in Apache Archiva, an unauthenticated attacker can directly request the database file path without any login credentials. The advisory states that the database file can be read directly, implying the file is served or accessible via a predictable URL. No authentication is required, and the attacker only needs network access to the Archiva instance.
Affected code
The patch only updates version strings from 2.2.9-SNAPSHOT to 2.2.9 across multiple pom.xml files as part of a release preparation. No functional code changes are present in the supplied diff, so the specific vulnerable code paths are not visible in this bundle.
What the fix does
The supplied patch [patch_id=1666572] is a release preparation commit that only updates version strings from 2.2.9-SNAPSHOT to 2.2.9 across pom.xml files. It contains no functional code changes that would close a vulnerability. The actual security fix for CVE-2022-40308 is not present in this bundle; the patch shown here is simply the Maven release plugin's version bump.
Preconditions
- configAnonymous read must be enabled in the Archiva configuration.
- networkAttacker must have network access to the Archiva instance.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-463w-hxfv-g9f6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-40308ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/11/15/2ghsamailing-listWEB
- archiva.apache.org/security.htmlghsaWEB
- lists.apache.org/thread/x01pnn0jjsw512cscxsbxzrjmz64n4ccghsaWEB
News mentions
0No linked articles in our index yet.