Comment 0 for bug 1922654

it0001 (it0001-escrypt) wrote :

Description

Multiple vulnerabilities have been reported in Apache Maven, which can be exploited by malicious people to bypass certain security restrictions.

1

An error when resolving custom repositories in dependency POMs over HTTP instead of HTTPS can be exploited to e.g. conduct a MitM (Man-in-the-Middle) attack.

The vulnerabilities are reported in versions prior to 3.8.1.

Affected Software

The following software is affected by the described vulnerability. Please check the vendor links below to see if exactly your version is affected.

Solution

Update to version 3.8.1.

References

1. http://maven.apache.org/docs/3.8.1/release-notes.html <http://maven.apache.org/docs/3.8.1/release-notes.html>

Please provide a solution as soon as possible.