Moderate severityNVD Advisory· Published Nov 15, 2022· Updated Apr 30, 2025
Apache Archiva prior to 2.2.9 allows an authenticated user to delete arbitrary directories
CVE-2022-40309
Description
Apache Archiva before 2.2.9 allows authenticated users with write permissions to delete arbitrary directories, risking data loss.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Archiva before 2.2.9 allows authenticated users with write permissions to delete arbitrary directories, risking data loss.
Vulnerability
CVE-2022-40309 affects Apache Archiva, a repository management tool. The flaw allows users who have write permissions to a repository to delete arbitrary directories on the server, not just within the repository scope [1][3]. This indicates insufficient path validation in the repository management functionality.
Exploitation
An attacker needs valid credentials with write permissions to at least one repository. No additional privileges are required. The attack is carried out by crafting requests that escape the repository directory, enabling deletion of arbitrary system directories [3].
Impact
Successful exploitation can lead to deletion of critical system files, causing data loss, service disruption, or denial of service. The vulnerability is rated with a CVSS score (not provided but likely high) due to the potential for significant data integrity and availability impact.
Mitigation
Apache Archiva fixed this issue in version 2.2.9. Users should upgrade to 2.2.9 or later. There are no known workarounds. The vulnerability was discovered by L3yx of Syclover Security Team [3].
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.archiva:archiva-commonMaven | < 2.2.9 | 2.2.9 |
Affected products
2Patches
1f8e7fc29cff8[maven-release-plugin] prepare release archiva-2.2.9
69 files changed · +69 −69
archiva-cli/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-cli</artifactId>
archiva-docs/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-docs</artifactId>
archiva-jetty/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-jetty</artifactId> <packaging>pom</packaging>
archiva-modules/archiva-base/archiva-checksum/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-checksum</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-common/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-common</artifactId>
archiva-modules/archiva-base/archiva-configuration/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-configuration</artifactId>
archiva-modules/archiva-base/archiva-consumers/archiva-consumer-api/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-consumers</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-consumer-api</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-consumers/archiva-consumer-archetype/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-consumers</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-consumer-archetype</artifactId> <packaging>maven-archetype</packaging>
archiva-modules/archiva-base/archiva-consumers/archiva-core-consumers/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-consumers</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-core-consumers</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-consumers/archiva-lucene-consumers/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-consumers</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-lucene-consumers</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-consumers/archiva-metadata-consumer/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <artifactId>archiva-consumers</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-metadata-consumer</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-consumers/archiva-signature-consumers/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-consumers</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-signature-consumers</artifactId>
archiva-modules/archiva-base/archiva-consumers/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-consumers</artifactId>
archiva-modules/archiva-base/archiva-converter/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-converter</artifactId>
archiva-modules/archiva-base/archiva-filelock/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-filelock</artifactId>
archiva-modules/archiva-base/archiva-indexer/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-indexer</artifactId>
archiva-modules/archiva-base/archiva-maven2-metadata/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-maven2-metadata</artifactId>
archiva-modules/archiva-base/archiva-maven2-model/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-maven2-model</artifactId>
archiva-modules/archiva-base/archiva-mock/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-mock</artifactId>
archiva-modules/archiva-base/archiva-model/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-model</artifactId>
archiva-modules/archiva-base/archiva-plexus-bridge/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-plexus-bridge</artifactId>
archiva-modules/archiva-base/archiva-policies/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-policies</artifactId>
archiva-modules/archiva-base/archiva-proxy-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-base</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-proxy-api</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-proxy-common/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-base</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-proxy-common</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-proxy/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-proxy</artifactId>
archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-api/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-repository-admin</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-repository-admin-api</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-repository-admin</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-repository-admin-default</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-repository-admin/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-repository-admin</artifactId> <name>Archiva Base :: Repository Admin</name>
archiva-modules/archiva-base/archiva-repository-layer/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-repository-layer</artifactId>
archiva-modules/archiva-base/archiva-repository-scanner/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <artifactId>archiva-base</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-repository-scanner</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-security-common/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-base</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-security-common</artifactId>
archiva-modules/archiva-base/archiva-test-utils/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-base</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-test-utils</artifactId>
archiva-modules/archiva-base/archiva-transaction/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-transaction</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-base/archiva-xml-tools/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-base</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-xml-tools</artifactId>
archiva-modules/archiva-base/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-modules</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-base</artifactId>
archiva-modules/archiva-karaf/archiva-features/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-karaf</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <groupId>org.apache.archiva.karaf</groupId>
archiva-modules/archiva-karaf/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-modules</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-karaf</artifactId>
archiva-modules/archiva-scheduler/archiva-scheduler-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-scheduler</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-scheduler-api</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-scheduler/archiva-scheduler-indexing/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-scheduler</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-scheduler-indexing</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-scheduler/archiva-scheduler-repository-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-scheduler</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-scheduler-repository-api</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-scheduler/archiva-scheduler-repository/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-scheduler</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-scheduler-repository</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-scheduler/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-modules</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-scheduler</artifactId>
archiva-modules/archiva-web/archiva-rest/archiva-rest-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-rest</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-rest-api</artifactId> <!-- DO NOT USE bundle packaging generated documentation is not included in the jar !!! -->
archiva-modules/archiva-web/archiva-rest/archiva-rest-services/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-rest</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-rest-services</artifactId> <packaging>bundle</packaging>
archiva-modules/archiva-web/archiva-rest/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-rest</artifactId> <name>Archiva Web :: REST support</name>
archiva-modules/archiva-web/archiva-rss/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-web</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-rss</artifactId>
archiva-modules/archiva-web/archiva-security/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-security</artifactId>
archiva-modules/archiva-web/archiva-test-mocks/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-test-mocks</artifactId>
archiva-modules/archiva-web/archiva-webapp/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-webapp</artifactId> <packaging>war</packaging>
archiva-modules/archiva-web/archiva-web-common/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-web-common</artifactId>
archiva-modules/archiva-web/archiva-webdav/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-web</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-webdav</artifactId>
archiva-modules/archiva-web/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>archiva-modules</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>archiva-web</artifactId>
archiva-modules/metadata/metadata-model-maven2/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>metadata</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-model-maven2</artifactId> <packaging>bundle</packaging>
archiva-modules/metadata/metadata-model/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>metadata</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-model</artifactId> <packaging>bundle</packaging>
archiva-modules/metadata/metadata-repository-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>metadata</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-repository-api</artifactId> <packaging>bundle</packaging>
archiva-modules/metadata/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-modules</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata</artifactId> <name>Archiva :: Metadata</name>
archiva-modules/metadata/test-repository/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>metadata</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>test-repository</artifactId> <name>Archiva Metadata :: Repository for Testing</name>
archiva-modules/plugins/audit/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>audit</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/generic-metadata-support/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>generic-metadata-support</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/maven2-repository/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.archiva</groupId> <artifactId>plugins</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>maven2-repository</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/metadata-store-cassandra/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-store-cassandra</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/metadata-store-file/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-store-file</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/metadata-store-jcr/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>metadata-store-jcr</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>archiva-modules</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>plugins</artifactId> <name>Archiva :: Core Plugins</name>
archiva-modules/plugins/problem-reports/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>problem-reports</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/repository-statistics/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <artifactId>repository-statistics</artifactId> <packaging>bundle</packaging>
archiva-modules/plugins/stage-repository-merge/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>plugins</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <groupId>org.apache.archiva</groupId> <artifactId>stage-repository-merge</artifactId>
archiva-modules/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <artifactId>archiva</artifactId> <groupId>org.apache.archiva</groupId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>archiva-modules</artifactId>
pom.xml+1 −1 modified@@ -27,7 +27,7 @@ </parent> <artifactId>archiva</artifactId> - <version>2.2.9-SNAPSHOT</version> + <version>2.2.9</version> <packaging>pom</packaging> <name>Apache Archiva</name>
Vulnerability mechanics
Root cause
"Missing path validation in a repository file-deletion endpoint allows users with write access to delete directories outside the intended repository scope."
Attack vector
An attacker with write permissions to a repository can delete arbitrary directories on the server. The advisory does not specify the exact API endpoint or payload shape, but the precondition is that the attacker must have repository write access. The vulnerability likely involves a path traversal or missing directory validation in a file-management endpoint that fails to restrict deletion to the intended repository directory.
Affected code
The patch only updates version strings from 2.2.9-SNAPSHOT to 2.2.9 across multiple pom.xml files in the Apache Archiva project. No functional code changes are present in this commit, so the specific vulnerable code path is not visible in this patch.
What the fix does
The provided patch [patch_id=1666571] is a Maven release preparation commit that only changes version identifiers from 2.2.9-SNAPSHOT to 2.2.9 across all pom.xml files. It contains no code changes that address directory deletion. The actual security fix must reside in a different commit that is not included in this bundle.
Preconditions
- authAttacker must have write permissions to a repository in Apache Archiva.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-xgq8-jq9w-77r5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-40309ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/11/15/3ghsamailing-listWEB
- lists.apache.org/thread/1odl4p85r96n27k577jk6ftrp19xfc27ghsaWEB
News mentions
0No linked articles in our index yet.