Apache Maven security advisories

Security information for Apache Maven

Reporting

Do you want disclose a potential security issue for Apache Maven? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials

CVE-2024-47197 [CVE] [CVE json] [OSV json]

Last updated: 2024-09-26T08:01:19.076Z

Affected

  • Maven Archetype Plugin from 3.2.1 before 3.3.0

Description

Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.

This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.

Users are recommended to upgrade to version 3.3.0, which fixes the issue.

Archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains information they do not want to publish. We expect that on many developer machines, this also contains credentials.

When the user runs
mvn verify again (without a mvn clean), this file becomes part of the final artifact.

If a developer were to publish this into Maven Central or any other remote repository (whether as a release or a snapshot) their credentials would be published without them knowing.

References

Credits

  • Niels Basjes (reporter)

Commandline class shell injection vulnerabilities

CVE-2022-29599 [CVE] [CVE json] [OSV json]

Last updated: 2022-05-23T10:22:16.632Z

Affected

  • Apache Maven from maven-shared-utils before 3.3.3

Description

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

References

block repositories using http by default

CVE-2021-26291 [CVE] [CVE json] [OSV json]

Last updated: 2021-04-23T14:14:28.607Z

Affected

  • Apache Maven from Apache Maven through 3.8.1

Description

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls.

If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

References

Credits

  • Apache Maven would like to thank Jonathan Leitschuh for highlighting the need for this change.