CVE-2021-26291

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 23-04-2021 05:15

Last modified: - 25-07-2022 08:15

Total changes: - 24

Description

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

High

Confidentiality

High

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

9.1

Base score

3.9

5.2

Exploitability score

Impact score

Verification logic

Reference

https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E
[maven-dev] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default-Mailing List, Vendor Advisory
[maven-users] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default-Mailing List, Vendor Advisory
[oss-security] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default-Mailing List, Third Party Advisory
[announce] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default-Mailing List, Vendor Advisory
[jena-dev] 20210428 FYI: Maven CVE-2021-26291-Mailing List, Vendor Advisory
[jena-dev] 20210429 Re: FYI: Maven CVE-2021-26291-Mailing List, Vendor Advisory
[myfaces-dev] 20210506 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix-Mailing List, Vendor Advisory
[kafka-jira] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291-Mailing List, Vendor Advisory
[kafka-dev] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291-Mailing List, Vendor Advisory
[kafka-jira] 20210520 [jira] [Assigned] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291-Mailing List, Vendor Advisory
[kafka-jira] 20210520 [GitHub] [kafka] dongjinleekr opened a new pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291-Mailing List, Vendor Advisory
[kafka-jira] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291-Mailing List, Vendor Advisory
[kafka-commits] 20210521 [kafka] branch 2.8 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291-Mailing List, Patch, Vendor Advisory
[kafka-commits] 20210521 [kafka] branch 2.6 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291-Mailing List, Patch, Vendor Advisory
[kafka-commits] 20210521 [kafka] branch 2.7 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291-Mailing List, Vendor Advisory
[kafka-dev] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291-Mailing List, Vendor Advisory
[kafka-jira] 20210521 [GitHub] [kafka] omkreddy merged pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291-Mailing List, Vendor Advisory
https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5@%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac@%3Cdev.kafka.apache.org%3E
[kafka-users] 20210617 vulnerabilities-Mailing List, Vendor Advisory
https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/
[karaf-issues] 20210718 [jira] [Created] (KARAF-7224) Impact of CVE-2021-26291 on Karaf-Mailing List, Vendor Advisory
[karaf-issues] 20210718 [jira] [Created] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291-Mailing List, Vendor Advisory
[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7224) Impact of CVE-2021-26291 on Karaf-Mailing List, Vendor Advisory
[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291-Mailing List, Vendor Advisory
[karaf-issues] 20210719 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf-Mailing List, Vendor Advisory
[karaf-issues] 20210720 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf-Mailing List, Vendor Advisory
[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 opened a new pull request #11562: suppress CVE-2021-26291 on kafka-clients-Mailing List, Vendor Advisory
[kafka-jira] 20210809 [jira] [Commented] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291-Mailing List, Vendor Advisory
[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 merged pull request #11562: suppress CVE-2021-26291 on kafka-clients-Mailing List, Vendor Advisory
[druid-commits] 20210809 [GitHub] [druid] jihoonson commented on pull request #11562: suppress CVE-2021-26291 on kafka-clients-Mailing List, Vendor Advisory
[karaf-issues] 20210810 [jira] [Commented] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052-Mailing List, Vendor Advisory
[karaf-issues] 20210810 [jira] [Created] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052-Mailing List, Vendor Advisory
[karaf-issues] 20210810 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052-Mailing List, Vendor Advisory
[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.69 artifacts to mitigate CVE-2020-28052-Mailing List, Vendor Advisory
[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052-Mailing List, Vendor Advisory
[karaf-issues] 20210817 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052-Mailing List, Vendor Advisory
[karaf-issues] 20210817 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052-Mailing List, Patch, Vendor Advisory
[karaf-issues] 20210820 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052-Mailing List, Vendor Advisory
[karaf-issues] 20210824 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052-Mailing List, Vendor Advisory
[karaf-issues] 20210824 [jira] [Resolved] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052-Mailing List, Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
N/A-

Keywords

CVE-2021-26291

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2021-26291

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures