Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 01 Mar 2024 10:44:35 +0000
From: Arnout Engelen <>
Subject: CVE-2024-27138: Apache Archiva: disabling user registration is not

Severity: moderate

Affected versions:

- Apache Archiva 2.0.0 or later


** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva.

Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer


Florian Hauser, @frycos (reporter)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.