Apache Archiva Cross-Site scripting and Command Execution

Apache Archiva is an extensible repository management software.

Apache Archiva is affected by following vulnerabilities:

  • Apache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely.
  • Apache Archiva is affected by cross-site scripting (XSS) issue by sending a crafted request which could be used to inject arbitrary HTML or Javascript into the Archiva home page.

Affected Software:
Archiva 1.3 to Archiva 1.3.6
The unsupported versions Archiva 1.2 to 1.2.2 are also affected.


A remote attacker can exploit these vulnerabilities to conduct cross-site scripting attacks or execute arbitrary OGNL expressions on the targeted system.


User are advised to upgrade to the latest version of software available. Latest version can be downloaded from here

Following are links for downloading patches to fix the vulnerabilities:

Achiva 1.3.8 or latest

Leave a Reply