CVE-2021-26291

Name of the Vulnerable Software and Affected Versions Apache Maven versions prior to 3.8.1

Description The issue is related to shortcomings in the mechanism of confirming the source of data in the Apache Maven framework. Exploitation of this issue may allow a remote attacker to gain unauthorized access to protected information. The problem arises because Apache Maven follows repositories defined in a dependency's Project Object Model (pom), which can pose a risk if a malicious actor takes control of that repository or inserts themselves into a position to pretend to be that repository.

Recommendations For versions prior to 3.8.1, update to version 3.8.1 or later to change the default behavior and no longer follow http (non-SSL) repository references by default. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior. Consider using a repository manager to minimize the risk of exploitation. As a temporary workaround, consider restricting access to non-SSL repository references until the issue is resolved.