Apache Archiva Arbitrary user password reset vulnerability

In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8