Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Apache
  • Maven
Oracle
  • Financial Services Analytical Applications Infrastructure
  • Goldengate Big Data And Application Adapters
Quarkus
  • Quarkus
Redhat
  • Camel Quarkus
  • Integration
  • Jboss Enterprise Bpms Platform
  • Ocp Tools
  • Openshift Application Runtimes

Configuration 1 [-]

cpe:2.3:a:apache:maven:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:goldengate_big_data_and_application_adapters:23.1:*:*:*:*:*:*:*
Package CPE Advisory Released Date
OCP-Tools-4.12-RHEL-8
jenkins-2-plugins-0:4.12.1706515741-1.el8 cpe:/a:redhat:ocp_tools:4.12::el8 RHSA-2024:0778 2024-02-12T00:00:00Z
OCP-Tools-4.13-RHEL-8
jenkins-2-plugins-0:4.13.1706516346-1.el8 cpe:/a:redhat:ocp_tools:4.13::el8 RHSA-2024:0776 2024-02-12T00:00:00Z
OpenShift Developer Tools and Services for OCP 4.11
jenkins-2-plugins-0:4.11.1683009941-1.el8 cpe:/a:redhat:ocp_tools:4.11::el8 RHSA-2023:3198 2023-05-17T00:00:00Z
Red Hat build of Quarkus 2.2.3
maven-wrapper cpe:/a:redhat:openshift_application_runtimes:1.0 RHSA-2021:3880 2021-10-20T00:00:00Z
RHINT Camel-K 1.6.4
maven-core cpe:/a:redhat:integration:1 RHSA-2022:1029 2022-03-23T00:00:00Z
RHINT Camel-Q 2.2.1
maven-core cpe:/a:redhat:camel_quarkus:2.2.1 RHSA-2022:1013 2022-03-22T00:00:00Z
RHPAM 7.13.1 async
rhpam-7-businesscentral-rhel8-container cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13 RHSA-2023:1334 2023-03-20T00:00:00Z
References
Link Providers
http://www.openwall.com/lists/oss-security/2021/04/23/5 cve-icon cve-icon
https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736%40%3Cannounce.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c%40%3Cdev.maven.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0%40%3Ccommits.druid.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6%40%3Cdev.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381%40%3Cdev.jena.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a%40%3Ccommits.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5%40%3Cdev.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002%40%3Ccommits.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457%40%3Cdev.jena.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b%40%3Ccommits.druid.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a%40%3Ccommits.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac%40%3Cdev.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b%40%3Ccommits.druid.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265%40%3Cdev.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2%40%3Cissues.karaf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E cve-icon cve-icon
https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291 cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-26291 cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-26291 cve-icon
https://www.oracle.com/security-alerts/cpuapr2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2022.html cve-icon cve-icon
https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/ cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-04-23T14:20:13

Updated: 2024-08-03T20:19:20.126Z

Reserved: 2021-01-27T00:00:00

Link: CVE-2021-26291

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-04-23T15:15:09.387

Modified: 2024-11-21T05:56:01.890

Link: CVE-2021-26291

cve-icon Redhat

Severity : Important

Publid Date: 2021-04-23T00:00:00Z

Links: CVE-2021-26291 - Bugzilla