CVE-2021-26291

Published: 23 April 2021

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

Priority

Cvss 3 Severity Score

9.1

Score breakdown

Status

Package	Release	Status
maven Launchpad, Ubuntu, Debian	bionic	Released (3.6.0-1~18.04.1ubuntu0.1~esm1) Available with Ubuntu Pro
	focal	Released (3.6.3-1ubuntu0.1+esm1) Available with Ubuntu Pro
	groovy	Ignored (end of life)
	hirsute	Ignored (end of life)
	impish	Ignored (end of life)
	jammy	Released (3.6.3-5ubuntu0.1~esm1) Available with Ubuntu Pro
	kinetic	Ignored (end of life, was needs-triage)
	lunar	Ignored (end of life, was needs-triage)
	mantic	Needs triage
	trusty	Needs triage
	upstream	Needs triage
	xenial	Released (3.3.9-3ubuntu0.1~esm1) Available with Ubuntu Pro

Severity score breakdown

Parameter	Value
Base score	9.1
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›