{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47197", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-09-20T20:04:10.889Z", "datePublished": "2024-09-26T08:01:24.486Z", "dateUpdated": "2024-09-26T13:25:15.814Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.maven.plugins:maven-archetype-plugin", "product": "Maven Archetype Plugin", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.3.0", "status": "affected", "version": "3.2.1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Niels Basjes"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.</p><p>This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.</p><p>Users are recommended to upgrade to version 3.3.0, which fixes the issue.</p><span style=\"background-color: rgb(255, 255, 255);\">Archetype integration testing creates a file\ncalled ./target/classes/archetype-it/archetype-settings.xml\nThis file contains all the content from the users ~/.m2/settings.xml file,\nwhich often contains information they do not want to publish. We expect that on many developer machines, this also contains\ncredentials.<br><br><span style=\"background-color: rgb(255, 255, 255);\">When the user runs </span></span><tt><span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">mvn verify</span></span></tt><span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\"> again (without a </span></span><tt><span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">mvn clean</span></span></tt><span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">), this file becomes part of\nthe final artifact.<br><br><span style=\"background-color: rgb(255, 255, 255);\">If a developer were to publish this into Maven Central or any other remote repository (whether as a release\nor a snapshot) their credentials would be published without them knowing.</span></span></span><br>"}], "value": "Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.\n\nThis issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.\n\nUsers are recommended to upgrade to version 3.3.0, which fixes the issue.\n\nArchetype integration testing creates a file\ncalled ./target/classes/archetype-it/archetype-settings.xml\nThis file contains all the content from the users ~/.m2/settings.xml file,\nwhich often contains information they do not want to publish. We expect that on many developer machines, this also contains\ncredentials.\n\nWhen the user runs mvn verify again (without a mvn clean), this file becomes part of\nthe final artifact.\n\nIf a developer were to publish this into Maven Central or any other remote repository (whether as a release\nor a snapshot) their credentials would be published without them knowing."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-922", "description": "CWE-922 Insecure Storage of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-09-26T08:01:24.486Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96"}], "source": {"defect": ["ARCHETYPE-657"], "discovery": "INTERNAL"}, "title": "Maven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/09/26/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-26T13:07:57.537Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-26T13:25:04.948042Z", "id": "CVE-2024-47197", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T13:25:15.814Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/09/26/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-26T13:07:57.537Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47197", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-26T13:25:04.948042Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T13:25:12.827Z"}}], "cna": {"title": "Maven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials", "source": {"defect": ["ARCHETYPE-657"], "discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Niels Basjes"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Maven Archetype Plugin", "versions": [{"status": "affected", "version": "3.2.1", "lessThan": "3.3.0", "versionType": "semver"}], "packageName": "org.apache.maven.plugins:maven-archetype-plugin", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.\n\nThis issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.\n\nUsers are recommended to upgrade to version 3.3.0, which fixes the issue.\n\nArchetype integration testing creates a file\ncalled ./target/classes/archetype-it/archetype-settings.xml\nThis file contains all the content from the users ~/.m2/settings.xml file,\nwhich often contains information they do not want to publish. We expect that on many developer machines, this also contains\ncredentials.\n\nWhen the user runs mvn verify again (without a mvn clean), this file becomes part of\nthe final artifact.\n\nIf a developer were to publish this into Maven Central or any other remote repository (whether as a release\nor a snapshot) their credentials would be published without them knowing.", "supportingMedia": [{"type": "text/html", "value": "<p>Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.</p><p>This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.</p><p>Users are recommended to upgrade to version 3.3.0, which fixes the issue.</p><span style=\"background-color: rgb(255, 255, 255);\">Archetype integration testing creates a file\ncalled ./target/classes/archetype-it/archetype-settings.xml\nThis file contains all the content from the users ~/.m2/settings.xml file,\nwhich often contains information they do not want to publish. We expect that on many developer machines, this also contains\ncredentials.<br><br><span style=\"background-color: rgb(255, 255, 255);\">When the user runs </span></span><tt><span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">mvn verify</span></span></tt><span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\"> again (without a </span></span><tt><span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">mvn clean</span></span></tt><span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">), this file becomes part of\nthe final artifact.<br><br><span style=\"background-color: rgb(255, 255, 255);\">If a developer were to publish this into Maven Central or any other remote repository (whether as a release\nor a snapshot) their credentials would be published without them knowing.</span></span></span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-922", "description": "CWE-922 Insecure Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-09-26T08:01:24.486Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47197", "state": "PUBLISHED", "dateUpdated": "2024-09-26T13:25:15.814Z", "dateReserved": "2024-09-20T20:04:10.889Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-09-26T08:01:24.486Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:maven_archetype:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "A159A60A-09F5-49B5-A159-E530CACDA1B9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.\n\nThis issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.\n\nUsers are recommended to upgrade to version 3.3.0, which fixes the issue.\n\nArchetype integration testing creates a file\ncalled ./target/classes/archetype-it/archetype-settings.xml\nThis file contains all the content from the users ~/.m2/settings.xml file,\nwhich often contains information they do not want to publish. We expect that on many developer machines, this also contains\ncredentials.\n\nWhen the user runs mvn verify again (without a mvn clean), this file becomes part of\nthe final artifact.\n\nIf a developer were to publish this into Maven Central or any other remote repository (whether as a release\nor a snapshot) their credentials would be published without them knowing."}, {"lang": "es", "value": "Exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado, vulnerabilidad de almacenamiento inseguro de informaci\u00f3n confidencial en el complemento Maven Archetype. Este problema afecta al complemento Maven Archetype: desde la versi\u00f3n 3.2.1 hasta la 3.3.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 3.3.0, que soluciona el problema. Las pruebas de integraci\u00f3n de Archetype crean un archivo llamado ./target/classes/archetype-it/archetype-settings.xml. Este archivo contiene todo el contenido del archivo ~/.m2/settings.xml de los usuarios, que a menudo contiene informaci\u00f3n que no desean publicar. Esperamos que en muchas m\u00e1quinas de desarrolladores, esto tambi\u00e9n contenga credenciales. Cuando el usuario ejecuta mvn verificar nuevamente (sin un mvn clean), este archivo se convierte en parte del artefacto final. Si un desarrollador publicara esto en Maven Central o cualquier otro repositorio remoto (ya sea como una versi\u00f3n o una instant\u00e1nea), sus credenciales se publicar\u00edan sin que ellos lo supieran."}], "id": "CVE-2024-47197", "lastModified": "2024-10-02T17:25:36.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-09-26T08:15:06.587", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-922"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-922"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "maven-archetype-plugin: Exposure of Sensitive Information", "id": "2314839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2314839"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "(CWE-200|CWE-922)", "details": ["Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.\nThis issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.\nUsers are recommended to upgrade to version 3.3.0, which fixes the issue.\nArchetype integration testing creates a file\ncalled ./target/classes/archetype-it/archetype-settings.xml\nThis file contains all the content from the users ~/.m2/settings.xml file,\nwhich often contains information they do not want to publish. We expect that on many developer machines, this also contains\ncredentials.\nWhen the user runs mvn verify again (without a mvn clean), this file becomes part of\nthe final artifact.\nIf a developer were to publish this into Maven Central or any other remote repository (whether as a release\nor a snapshot) their credentials would be published without them knowing.", "A flaw was found in the Maven Archetype Plugin. Archetype integration testing can create a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains sensitive information or credentials. When the user runs mvn verify again without a mvn clean, this file becomes part of the final artifact. If a developer were to publish this into Maven Central or any other remote repository, whether as a release or a snapshot, their credentials would be published without them knowing."], "name": "CVE-2024-47197", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Migration Toolkit for Runtimes"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "org.apache.maven.plugins/maven-archetype-plugin", "product_name": "Red Hat Process Automation 7"}], "public_date": "2024-09-26T08:15:06Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47197\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47197\nhttps://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96"], "threat_severity": "Low"}