CVE-2021-26291
Summary
| CVE | CVE-2021-26291 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-04-23 15:15:00 UTC |
| Updated | 2023-11-07 03:31:00 UTC |
| Description | Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html |
Risk And Classification
Problem Types: CWE-346
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Kafka | 2.6.1 | All | All | All |
| Application | Apache | Kafka | 2.7.1 | All | All | All |
| Application | Apache | Kafka | 2.8.0 | All | All | All |
| Application | Apache | Maven | All | All | All | All |
| Application | Oracle | Financial Services Analytical Applications Infrastructure | All | All | All | All |
| Application | Oracle | Financial Services Analytical Applications Infrastructure | All | All | All | All |
| Application | Oracle | Goldengate Big Data And Application Adapters | 23.1 | All | All | All |
| Application | Quarkus | Quarkus | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | MLIST | lists.apache.org | |
| [druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 merged pull request #11562: suppress CVE-2021-26291 on kafka-clients | lists.apache.org | ||
| [announce] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.69 artifacts to mitigate CVE-2020-28052 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-commits] 20210521 [kafka] branch 2.7 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-dev] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-jira] 20210520 [jira] [Assigned] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [karaf-issues] 20210810 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052 | lists.apache.org | ||
| [karaf-issues] 20210719 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [karaf-issues] 20210719 [jira] [Assigned] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291 | lists.apache.org | ||
| oss-security - CVE-2021-26291: Apache Maven: block repositories using http by default | MLIST | www.openwall.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| [kafka-jira] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 | lists.apache.org | ||
| [karaf-issues] 20210719 [jira] [Assigned] (KARAF-7224) Impact of CVE-2021-26291 on Karaf | lists.apache.org | ||
| [maven-dev] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MISC | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Maven Vulnerability CVE-2021-26291: Over 100K Libraries Affected | MISC | www.whitesourcesoftware.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MISC | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [karaf-issues] 20210810 [jira] [Commented] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052 | lists.apache.org | ||
| [karaf-issues] 20210817 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052 | lists.apache.org | ||
| [kafka-jira] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 | lists.apache.org | ||
| [jena-dev] 20210428 FYI: Maven CVE-2021-26291 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-jira] 20210520 [GitHub] [kafka] dongjinleekr opened a new pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291 | lists.apache.org | ||
| [kafka-jira] 20210809 [jira] [Commented] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-commits] 20210521 [kafka] branch 2.6 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [myfaces-dev] 20210506 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [karaf-issues] 20210718 [jira] [Created] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [karaf-issues] 20210810 [jira] [Created] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [karaf-issues] 20210820 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052 | lists.apache.org | ||
| [karaf-issues] 20210817 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052 | lists.apache.org | ||
| [kafka-jira] 20210521 [GitHub] [kafka] omkreddy merged pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92... | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-commits] 20210521 [kafka] branch 2.8 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291 | lists.apache.org | ||
| [karaf-issues] 20210824 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052 | lists.apache.org | ||
| [jena-dev] 20210429 Re: FYI: Maven CVE-2021-26291 | lists.apache.org | ||
| [karaf-issues] 20210824 [jira] [Resolved] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052 | lists.apache.org | ||
| lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695... | lists.apache.org | ||
| [druid-commits] 20210809 [GitHub] [druid] jihoonson commented on pull request #11562: suppress CVE-2021-26291 on kafka-clients | lists.apache.org | ||
| [karaf-issues] 20210718 [jira] [Created] (KARAF-7224) Impact of CVE-2021-26291 on Karaf | lists.apache.org | ||
| [kafka-users] 20210617 vulnerabilities | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [karaf-issues] 20210720 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - July 2022 | N/A | www.oracle.com | |
| Pony Mail! | MISC | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-dev] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 | lists.apache.org | ||
| [druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 opened a new pull request #11562: suppress CVE-2021-26291 on kafka-clients | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Apache Maven would like to thank Jonathan Leitschuh for highlighting the need for this change.
Legacy QID Mappings
- 182061 Debian Security Update for maven (CVE-2021-26291)
- 199107 Ubuntu Security Notification for Apache Maven Vulnerability (USN-5805-1)
- 375721 Apache Maven Custom Repositories In Dependency POM Vulnerability
- 690165 Free Berkeley Software Distribution (FreeBSD) Security Update for apache maven (20006b5f-a0bc-11eb-8ae6-fc4dd43e2b6a)
- 87496 Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2022)
- 900038 CBL-Mariner Linux Security Update for maven 3.5.4
- 902796 Common Base Linux Mariner (CBL-Mariner) Security Update for maven (4164)
- 980354 Java (maven) Security Update for org.apache.maven:maven (GHSA-2f88-5hg8-9x2x)