GHSA-hf4p-mhc8-x2gp · Severity: high · Ecosystem: maven — Apache Archiva vulnerable to Cross Site Request Forgery
Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).
Conclusion & alert: CVE-2017-5657 is rated Moderate Risk (51.6/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.87%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.09% | 0.87% | +0.78% |
| 2 | 2025-03-17 | 0.16% | 0.09% | -0.07% |
| 3 | 2024-12-17 | — | 0.16% | — |
Full EPSS history (6 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.0 | 3.0 | HIGH |
|
2.1 | 5.9 | [email protected] |
| 6.0 | 2.0 | MEDIUM |
|
6.8 | 6.4 | [email protected] |
GHSA-hf4p-mhc8-x2gp · Severity: high · Ecosystem: maven — Apache Archiva vulnerable to Cross Site Request Forgery
| URL | Tags |
|---|---|
| http://archiva.apache.org/security.html#CVE-2017-5657 | Patch Vendor Advisory |
| http://www.securityfocus.com/bid/98570 | Third Party Advisory VDB Entry |
| http://www.securitytracker.com/id/1038528 | |
| https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E |