QwikSec

Security Database

CVE

CWE

Training

CVE-2021-26291

Published: Apr 23, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

Vendor	Product	Versions
Apache Software Foundation	Apache Maven	affected `Apache Maven - <= 3.8.1`

References

https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E

x_refsource_MISC

[maven-dev] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default

mailing-list

x_refsource_MLIST

[maven-users] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default

mailing-list

x_refsource_MLIST

[oss-security] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default

mailing-list

x_refsource_MLIST

[announce] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default

mailing-list

x_refsource_MLIST

[jena-dev] 20210428 FYI: Maven CVE-2021-26291

mailing-list

x_refsource_MLIST

[jena-dev] 20210429 Re: FYI: Maven CVE-2021-26291

mailing-list

x_refsource_MLIST

[myfaces-dev] 20210506 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix

mailing-list

x_refsource_MLIST

[kafka-jira] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291

mailing-list

x_refsource_MLIST

[kafka-dev] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291

mailing-list

x_refsource_MLIST

[kafka-jira] 20210520 [GitHub] [kafka] dongjinleekr opened a new pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291

mailing-list

x_refsource_MLIST

[kafka-jira] 20210520 [jira] [Assigned] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291

mailing-list

x_refsource_MLIST

[kafka-jira] 20210521 [GitHub] [kafka] omkreddy merged pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291

mailing-list

x_refsource_MLIST

[kafka-dev] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291

mailing-list

x_refsource_MLIST

[kafka-commits] 20210521 [kafka] branch 2.6 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291

mailing-list

x_refsource_MLIST

[kafka-commits] 20210521 [kafka] branch 2.8 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291

mailing-list

x_refsource_MLIST

[kafka-jira] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291

mailing-list

x_refsource_MLIST

[kafka-commits] 20210521 [kafka] branch 2.7 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291

mailing-list

x_refsource_MLIST

[kafka-users] 20210617 vulnerabilities

mailing-list

x_refsource_MLIST

[karaf-issues] 20210718 [jira] [Created] (KARAF-7224) Impact of CVE-2021-26291 on Karaf

mailing-list

x_refsource_MLIST

[karaf-issues] 20210718 [jira] [Created] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291

mailing-list

x_refsource_MLIST

[karaf-issues] 20210719 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf

mailing-list

x_refsource_MLIST

[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7224) Impact of CVE-2021-26291 on Karaf

mailing-list

x_refsource_MLIST

[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291

mailing-list

x_refsource_MLIST

[karaf-issues] 20210720 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf

mailing-list

x_refsource_MLIST

[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 opened a new pull request #11562: suppress CVE-2021-26291 on kafka-clients

mailing-list

x_refsource_MLIST

[kafka-jira] 20210809 [jira] [Commented] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291

mailing-list

x_refsource_MLIST

[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 merged pull request #11562: suppress CVE-2021-26291 on kafka-clients

mailing-list

x_refsource_MLIST

[druid-commits] 20210809 [GitHub] [druid] jihoonson commented on pull request #11562: suppress CVE-2021-26291 on kafka-clients

mailing-list

x_refsource_MLIST

[karaf-issues] 20210810 [jira] [Created] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052

mailing-list

x_refsource_MLIST

[karaf-issues] 20210810 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052

mailing-list

x_refsource_MLIST

[karaf-issues] 20210810 [jira] [Commented] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052

mailing-list

x_refsource_MLIST

[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052

mailing-list

x_refsource_MLIST

[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.69 artifacts to mitigate CVE-2020-28052

mailing-list

x_refsource_MLIST

[karaf-issues] 20210817 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052

mailing-list

x_refsource_MLIST

[karaf-issues] 20210817 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052

mailing-list

x_refsource_MLIST

[karaf-issues] 20210820 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052

mailing-list

x_refsource_MLIST

[karaf-issues] 20210824 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052

mailing-list

x_refsource_MLIST

[karaf-issues] 20210824 [jira] [Resolved] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052

mailing-list

x_refsource_MLIST

https://www.oracle.com/security-alerts/cpuapr2022.html

x_refsource_MISC

https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5%40%3Cdev.kafka.apache.org%3E

x_refsource_MISC

https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac%40%3Cdev.kafka.apache.org%3E

x_refsource_MISC

https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/

x_refsource_MISC

https://www.oracle.com/security-alerts/cpujul2022.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.