CVE-2020-9495

Name of the Vulnerable Software and Affected Versions Apache Archiva versions prior to 2.2.5

Description The issue allows an attacker to retrieve user attribute data from the connected LDAP server by providing special values to the login form. This is achieved by modifying the LDAP filter used to query the LDAP users with certain characters. An attacker can also retrieve arbitrary attribute data from LDAP user objects by measuring the response time for the login request.

Recommendations For versions prior to 2.2.5, update to version 2.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the login service to minimize the risk of exploitation. Avoid using special characters in the login form until the issue is resolved.