CVE-2010-4408 Information

Description

Apache Archiva 1.0 through 1.0.3 1.1 through 1.1.4 1.2 through 1.2.2 and 1.3 through 1.3.1 does not require entry of the administrator’s password at the time of modifying a user account which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability a related issue to CVE-2010-3449.

Reference

http://archiva.apache.org/security.html http://mail-archives.apache.org/mod_mbox/archiva-users/201011.mbox/ajax/3CAANLkTimXejHAuXdoUKLN=GkNty1_XnRCbv0YA0T2cS_2@mail.gmail.com3E http://www.securityfocus.com/archive/1/514937/100/0/threaded