Patch for CVE-2021-26291 is ineffective, uses unsupported 'blocked' tag
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
maven (Ubuntu) |
Fix Released
|
Undecided
|
Nishit Majithia |
Bug Description
A patch was applied in version 3.6.3-5ubuntu1 to address CVE-2021-26291, relating to Maven using unencrypted HTTP to connect to repositories.
This patch added a "maven-
However, the <blocked> element in settings.xml is not supported by Maven versions prior to 3.8.1, according to https:/
The patch does not effectively address the CVE, because Maven prior to 3.8.1 does not recognize that the mirror should be blocked. I have confirmed that Maven 3.6.3-5ubuntu1 will connect to repositories via unencrypted HTTP.
Additionally, whenever Maven is invoked, it emits a confusing but harmless warning "Unrecognised tag: 'blocked'" while parsing the system settings.xml.
CVE References
description: | updated |
description: | updated |
information type: | Public → Public Security |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
summary: |
- Patch for CVE-2021-26291 uses unsupported 'blocked' tag + Patch for CVE-2021-26291 is ineffective, uses unsupported 'blocked' tag |
@Nishit can you take a look at this issue?