2016/05/18 - Apache Continuum has been retired.

For more information, please explore the Attic.

Security Vulnerabilities

Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache Continuum version where that vulnerability has been fixed.

For more information about reporting vulnerabilities, see the Apache Security Team page.

CVE-2013-2251: Apache Struts Remote Command Execution

Apache Continuum is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at http://struts.apache.org/release/2.3.x/docs/s2-016.html.

Versions Affected:

  • Continuum 1.3.1 to Continuum 1.4.1

All users are recommended to upgrade to Continuum 1.4.2, which are not affected by this issue.

CVE-2010-1870: Struts2 remote commands execution

Apache Continuum is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at http://struts.apache.org/2.2.1/docs/s2-005.html.

Versions Affected:

  • Continuum 1.3.1 to Continuum 1.3.8
  • Continuum 1.4.0 (Beta)

All users are recommended to upgrade to Continuum 1.4.1, which configures Struts in such a way that it is not affected by this issue.

CVE-2011-0533: Apache Continuum cross-site scripting vulnerability

A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the Continuum user management page and project details pages. This fix is available in version 1.3.7 of Apache Continuum. All users must upgrade to this version (or higher).

Versions Affected:

  • Continuum 1.3.6
  • Continuum 1.4.0 (Beta)
  • The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.

CVE-2010-3449: Apache Continuum CSRF vulnerability

Apache Continuum doesn't check which form sends credentials. An attacker can create a specially crafted page and force Continuum administrators to view it and change their credentials. To fix this, a referrer check was added to the security interceptor for all secured actions. A prompt for the administrator's password when changing a user account was also set in place. This fix is available in version 1.3.7 of Apache Continuum. All users must upgrade to this version (or higher).

Versions Affected:

  • Continuum 1.3.6
  • Continuum 1.4.0 (Beta)
  • The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.