CVE-2021-26291

CVE-2021-26291

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

Published Apr 9, 2021

Apache Jira · MNG-7118 Apache · Announcement Apache · Release notes

CVSS ScoreCritical

9.1

Vulnerabilities

CVE-2021-26291

Published Apr 9, 2021

Apache Jira · MNG-7118 Apache · Announcement Apache · Release notes

CVSS ScoreCritical

9.1

CVE-2021-26291 Security Details

CVE ID: CVE-2021-26291
CWE: CWE-346
CVE Description: Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
Published: Apr 9, 2021
CVSS Score & Severity: 9.1Critical
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score: 46.101%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: org/apache/maven/DefaultMaven.newRepositorySession(Lorg/apache/maven/execution/MavenExecutionRequest;)Lorg/eclipse/aether/RepositorySystemSession;
JVM
org/apache/maven/artifact/manager/DefaultWagonManager.getMirror(Ljava/lang/String;)Lorg/apache/maven/artifact/repository/ArtifactRepository;
JVM
org/apache/maven/artifact/manager/DefaultWagonManager.matchPattern(Lorg/apache/maven/artifact/repository/ArtifactRepository;Ljava/lang/String;)Z
JVM
org/apache/maven/bridge/MavenRepositorySystem.matchPattern(Lorg/apache/maven/artifact/repository/ArtifactRepository;Ljava/lang/String;)Z
JVM
org/apache/maven/bridge/MirrorSelector.matchPattern(Lorg/apache/maven/artifact/repository/ArtifactRepository;Ljava/lang/String;)Z
JVM
org/apache/maven/repository/DefaultMirrorSelector.matchPattern(Lorg/apache/maven/artifact/repository/ArtifactRepository;Ljava/lang/String;)Z
JVM
org/apache/maven/settings/Mirror.toString()Ljava/lang/String;
JVM
Affected Ecosystems: affected
Source: National Vulnerability Database
References: Apache Jira · MNG-7118PROJECT
Apache · AnnouncementPROJECT
Apache · Release notesPROJECT

CVE-2021-26291 Security Details

CVE ID: CVE-2021-26291
CWE: CWE-346
CVE Description: Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
Published: Apr 9, 2021
CVSS Score & Severity: 9.1Critical
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score: 46.101%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: org/apache/maven/DefaultMaven.newRepositorySession(Lorg/apache/maven/execution/MavenExecutionRequest;)Lorg/eclipse/aether/RepositorySystemSession;
JVM
org/apache/maven/artifact/manager/DefaultWagonManager.getMirror(Ljava/lang/String;)Lorg/apache/maven/artifact/repository/ArtifactRepository;
JVM
org/apache/maven/artifact/manager/DefaultWagonManager.matchPattern(Lorg/apache/maven/artifact/repository/ArtifactRepository;Ljava/lang/String;)Z
JVM
org/apache/maven/bridge/MavenRepositorySystem.matchPattern(Lorg/apache/maven/artifact/repository/ArtifactRepository;Ljava/lang/String;)Z
JVM
org/apache/maven/bridge/MirrorSelector.matchPattern(Lorg/apache/maven/artifact/repository/ArtifactRepository;Ljava/lang/String;)Z
JVM
org/apache/maven/repository/DefaultMirrorSelector.matchPattern(Lorg/apache/maven/artifact/repository/ArtifactRepository;Ljava/lang/String;)Z
JVM
org/apache/maven/settings/Mirror.toString()Ljava/lang/String;
JVM
Affected Ecosystems: affected
Source: National Vulnerability Database
References: Apache Jira · MNG-7118PROJECT
Apache · AnnouncementPROJECT
Apache · Release notesPROJECT

Find vulnerabilities. Fix fast with AI.

CVE-2021-26291

CVE-2021-26291 Security Details

CVE-2021-26291 Security Details