Apache Maven Multiple Security Bypass Vulnerabilities

Bug #1922654 reported by it0001 on 2021-04-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
maven (Ubuntu)

Bug Description

CVE Numbers

CVE‑2021‑26291 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26291> , CVE‑2020‑13956 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956>


Multiple vulnerabilities have been reported in Apache Maven, which can be exploited by malicious people to bypass certain security restrictions.


An error when resolving custom repositories in dependency POMs over HTTP instead of HTTPS can be exploited to e.g. conduct a MitM (Man-in-the-Middle) attack.

The vulnerabilities are reported in versions prior to 3.8.1.

Affected Software

The following software is affected by the described vulnerability. Please check the vendor links below to see if exactly your version is affected.


Update to version 3.8.1.


1. http://maven.apache.org/docs/3.8.1/release-notes.html <http://maven.apache.org/docs/3.8.1/release-notes.html>

Please provide a solution as soon as possible.

it0001 (it0001-escrypt) on 2021-04-06
description: updated
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers