Apache Maven Multiple Security Bypass Vulnerabilities

Bug #1922654 reported by it0001 on 2021-04-06
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
maven (Ubuntu)
Undecided
Unassigned

Bug Description

CVE Numbers

CVE‑2021‑26291 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26291> , CVE‑2020‑13956 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956>

Description

Multiple vulnerabilities have been reported in Apache Maven, which can be exploited by malicious people to bypass certain security restrictions.

1

An error when resolving custom repositories in dependency POMs over HTTP instead of HTTPS can be exploited to e.g. conduct a MitM (Man-in-the-Middle) attack.

The vulnerabilities are reported in versions prior to 3.8.1.

Affected Software

The following software is affected by the described vulnerability. Please check the vendor links below to see if exactly your version is affected.

Solution

Update to version 3.8.1.

References

1. http://maven.apache.org/docs/3.8.1/release-notes.html <http://maven.apache.org/docs/3.8.1/release-notes.html>

Please provide a solution as soon as possible.

it0001 (it0001-escrypt) on 2021-04-06
description: updated
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers