Apache Maven Multiple Security Bypass Vulnerabilities

Bug #1922654 reported by it0001 on 2021-04-06
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
httpcomponents-client (Ubuntu)
Undecided
Unassigned
maven (Ubuntu)
Undecided
Unassigned

Bug Description

CVE Numbers

CVE‑2021‑26291 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26291> , CVE‑2020‑13956 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956>

Description

Multiple vulnerabilities have been reported in Apache Maven, which can be exploited by malicious people to bypass certain security restrictions.

1

An error when resolving custom repositories in dependency POMs over HTTP instead of HTTPS can be exploited to e.g. conduct a MitM (Man-in-the-Middle) attack.

The vulnerabilities are reported in versions prior to 3.8.1.

Affected Software

The following software is affected by the described vulnerability. Please check the vendor links below to see if exactly your version is affected.

Solution

Update to version 3.8.1.

References

1. http://maven.apache.org/docs/3.8.1/release-notes.html <http://maven.apache.org/docs/3.8.1/release-notes.html>

Please provide a solution as soon as possible.

it0001 (it0001-escrypt) on 2021-04-06
description: updated
information type: Private Security → Public Security
Eduardo Barretto (ebarretto) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the packages referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in httpcomponents-client (Ubuntu):
status: New → Confirmed
Changed in maven (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers