Vulnerability Description
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Maven | < 3.8.1 |
| Quarkus | Quarkus | < 1.13.5 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6.0.0, <= 8.0.9.0.0 |
| Oracle | Goldengate Big Data And Application Adapters | 23.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/04/23/5Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee
- https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d
- https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4d
- https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe
- https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba9746
- https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867
- https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c2520
- https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdb
- https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e3
- https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdf
- https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18c
- https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57b
- https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c
- https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa
FAQ
What is CVE-2021-26291?
CVE-2021-26291 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over t...
How severe is CVE-2021-26291?
CVE-2021-26291 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-26291?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Maven, Quarkus Quarkus, Oracle Financial Services Analytical Applications Infrastructure, Oracle Goldengate Big Data And Application Adapters.