CVE-2024-47197

Name of the Vulnerable Software and Affected Versions Maven Archetype Plugin versions 3.2.1 through 3.2.x Maven Archetype Plugin versions prior to 3.3.0

Description The issue is related to the exposure of sensitive information to unauthorized actors due to insecure storage of sensitive information in the Maven Archetype Plugin. This occurs when archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml, which contains all the content from the user's ~/.m2/settings.xml file, often including credentials. If a developer publishes this file into Maven Central or any other remote repository without knowing, their credentials would be published.

Recommendations For Maven Archetype Plugin versions 3.2.1 through 3.2.x, upgrade to version 3.3.0, which fixes the issue. For Maven Archetype Plugin versions prior to 3.3.0, upgrade to version 3.3.0, which fixes the issue. As a temporary workaround, consider running mvn clean before mvn verify to avoid including the sensitive file in the final artifact.