Critical vulnerability reported in Apache Archiva, replace it ASAP

Security experts have identified a significant Authorization vulnerability in Apache Archiva, tracked as CVE-2024-27138 (CVSS not categorized yet). Apache Archiva is an extensible repository management software designed to manage a personal or enterprise-wide build artifact repository. It is ideally paired with build tools like Maven, Continuum, and ANT.

The flaw allows unauthenticated attackers to modify account data and gain unauthorized access to accounts. It's affecting Apache Archiva versions 2.0.0 and onwards. CVE-2024-27138 enables attackers to circumvent user registration settings, compromising the integrity of accounts.

Due to the discontinuation of the Apache Archiva project, this vulnerability, along with another concerning cross-site scripting tracked as CVE-2024-27140, presents a substantial risk to users without the prospect of an official patch or update.

While direct fixes are not available, limiting access to trusted users and isolating affected instances may serve as temporary mitigations.

Given the absence of support for Apache Archiva, users are strongly advised to transition to alternative platforms which are  actively maintained.