Apache Maven security advisories
Security information for Apache Maven
Reporting
Do you want disclose a potential security issue for Apache Maven? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials
CVE-2024-47197 [CVE] [CVE json] [OSV json]
Last updated: 2024-09-26T08:01:19.076Z
Affected
- Maven Archetype Plugin from 3.2.1 before 3.3.0
Description
Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.
This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.
Users are recommended to upgrade to version 3.3.0, which fixes the issue.
Archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains information they do not want to publish. We expect that on many developer machines, this also contains credentials.When the user runs mvn verify again (without a mvn clean), this file becomes part of the final artifact.
If a developer were to publish this into Maven Central or any other remote repository (whether as a release or a snapshot) their credentials would be published without them knowing.
References
Credits
- Niels Basjes (reporter)
Commandline class shell injection vulnerabilities
CVE-2022-29599 [CVE] [CVE json] [OSV json]
Last updated: 2022-05-23T10:22:16.632Z
Affected
- Apache Maven from maven-shared-utils before 3.3.3
Description
In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.
References
- https://issues.apache.org/jira/browse/MSHARED-297
- https://github.com/apache/maven-shared-utils/pull/40
block repositories using http by default
CVE-2021-26291 [CVE] [CVE json] [OSV json]
Last updated: 2021-04-23T14:14:28.607Z
Affected
- Apache Maven from Apache Maven through 3.8.1
Description
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls.
If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
References
Credits
- Apache Maven would like to thank Jonathan Leitschuh for highlighting the need for this change.