CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47197 – Maven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials
https://notcve.org/view.php?id=CVE-2024-47197
26 Sep 2024 — Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the issue. Archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains information they do not wa... • https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-922: Insecure Storage of Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29599 – Commandline class shell injection vulnerabilities
https://notcve.org/view.php?id=CVE-2022-29599
27 Apr 2022 — In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. En Apache Maven maven-shared-utils versiones anteriores a 3.3.3, la clase Commandline puede emitir cadenas con comillas dobles sin un escape apropiado, permitiendo ataques de inyección de shell A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection atta... • http://www.openwall.com/lists/oss-security/2022/05/23/3 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 9.1EPSS: 54%CPEs: 5EXPL: 2CVE-2021-26291 – block repositories using http by default
https://notcve.org/view.php?id=CVE-2021-26291
23 Apr 2021 — Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to... • https://github.com/jpmartins/MinimalReproducer • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-346: Origin Validation Error •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2013-0253 – maven-wagon: all SSL certificate checking is disabled by default
https://notcve.org/view.php?id=CVE-2013-0253
09 Apr 2013 — The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack. La configuración por defecto de Apache Maven v3.0.4, cuando se usa Maven Wagon v2.1 deshabilita los controles de certificado SSL, lo que permite a atacantes remotos suplantar a servidoresa través de ataques Man-in-the-middle (MITM). • http://rhn.redhat.com/errata/RHSA-2013-0700.html • CWE-16: Configuration •