Lucene search

K
freebsdFreeBSD20006B5F-A0BC-11EB-8AE6-FC4DD43E2B6A
HistoryApr 04, 2021 - 12:00 a.m.

Apache Maven -- multiple vulnerabilities

2021-04-0400:00:00
vuxml.freebsd.org
86

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.002

Percentile

53.1%

The Apache Maven project reports:

We received a report from Jonathan Leitschuh about a vulnerability
of custom repositories in dependency POMs. We’ve split this up
into three separate issues:

Possible Man-In-The-Middle-Attack due to custom repositories
using HTTP.

    More and more repositories use HTTPS nowadays, but this
    hasn't always been the case. This means that Maven Central contains
    POMs with custom repositories that refer to a URL over HTTP. This
    makes downloads via such repository a target for a MITM attack. At
    the same time, developers are probably not aware that for some
    downloads an insecure URL is being used. Because uploaded POMs to
    Maven Central are immutable, a change for Maven was required. To
    solve this, we extended the mirror configuration with blocked
    parameter, and we added a new external:http:* mirror selector (like
    existing external:*), meaning "any external URL using HTTP".

    The decision was made to block such external HTTP repositories by default:
    this is done by providing a mirror in the conf/settings.xml blocking
    insecure HTTP external URLs.

Possible Domain Hijacking due to custom repositories using abandoned
domains

    Sonatype has analyzed which domains were abandoned and has claimed these
    domains.

Possible hijacking of downloads by redirecting to custom repositories

    This one was the hardest to analyze and explain. The short story is:
    you're safe, dependencies are only downloaded from repositories within
    their context. So there are two main questions: what is the context and
    what is the order? The order is described on the Repository Order page.
    The first group of repositories are defined in the settings.xml (both user
    and global). The second group of repositories are based on inheritence,
    with ultimately the super POM containing the URL to Maven Central. The
    third group is the most complex one but is important to understand the
    term context: repositories from the effective POMs from the dependency
    path to the artifact. So if a dependency was defined by another dependency
    or by a Maven project, it will also include their repositories. In the end
    this is not a bug, but a design feature.
OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchmaven< 3.8.1UNKNOWN

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.002

Percentile

53.1%