[org.apache.archiva:archiva-common] Apache Archiva vulnerable to Sensitive Information Disclosure via anonymous user

Apache Archiva prior to 2.2.9 may allow the anonymous user to read arbitrary files. If anonymous read enabled, it’s possible to read the database file directly without logging in.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-40308
• https://lists.apache.org/thread/x01pnn0jjsw512cscxsbxzrjmz64n4cc
• http://www.openwall.com/lists/oss-security/2022/11/15/2
• https://archiva.apache.org/security.html
• https://github.com/advisories/GHSA-463w-hxfv-g9f6