Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - maven: Block repositories using http by default (CVE-2021-26291)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - maven: Block repositories using http by default (CVE-2021-26291)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:0778 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * apache-commons-text: variable interpolation RCE (CVE-2022-42889)

    * google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can     lead to improper authorization (CVE-2020-7692)

    * maven: Block repositories using http by default (CVE-2021-26291)

    * snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

    * maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

    * jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin     (CVE-2023-24422)

    * jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE (CVE-2024-23897)

    * jenkins: cross-site WebSocket hijacking (CVE-2024-23898)

    * golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

    * guava: insecure temporary directory creation (CVE-2023-2976)

    * springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

    * spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout (CVE-2023-20862)

    * jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

    * jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin     (CVE-2023-25762)

    * jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()     (CVE-2023-26048)

    * jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

    * Jenkins: Open redirect vulnerability in OpenShift Login Plugin (CVE-2023-37947)

    * jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

    * jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin (CVE-2023-40337)

    * jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin (CVE-2023-40338)

    * jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin     (CVE-2023-40339)

    * jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials     (CVE-2023-40341)

    * Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

    * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:0776 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * apache-commons-text: variable interpolation RCE (CVE-2022-42889)

    * maven: Block repositories using http by default (CVE-2021-26291)

    * snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

    * maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

    * jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin     (CVE-2023-24422)

    * Jenkins: Session fixation vulnerability in OpenShift Login Plugin (CVE-2023-37946)

    * jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE (CVE-2024-23897)

    * jenkins: cross-site WebSocket hijacking (CVE-2024-23898)

    * jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

    * jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin     (CVE-2023-25762)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3198 advisory.

  - maven: Block repositories using http by default (CVE-2021-26291)

  - SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)

  - snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

  - maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

  - Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

  - Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)

  - apache-commons-text: variable interpolation RCE (CVE-2022-42889)

  - jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin     (CVE-2022-43401, CVE-2022-43403, CVE-2022-43404)

  - jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)

  - jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin     (CVE-2022-43405)

  - jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy     Libraries Plugin (CVE-2022-43406)

  - jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step     Plugin (CVE-2022-43407)

  - jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View     Plugin (CVE-2022-43408)

  - jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin     (CVE-2022-43409)

  - mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

  - jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

  - jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

  - jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin     (CVE-2023-25762)

  - Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

  - Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has packages installed that are affected by a vulnerability as referenced in the USN-5245-1 advisory.

    It was discovered that Apache Maven followed repositories that are defined in a dependency's Project     Object Model (pom) even if the repositories weren't encrypted (http protocol). An attacker could use this     vulnerability to take over a repository, execute arbitrary code or cause a denial of service.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.10 host has packages installed that are affected by a vulnerability as referenced in the USN-5805-1 advisory.

    It was discovered that Apache Maven followed repositories that are defined in a dependencys Project     Object Model (pom) even if the repositories weren't encryptedh (http protocol). An attacker could use this     vulnerability to take over a repository, execute arbitrary code or cause a denial of service.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the July 2022 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including:

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Third Party     Tools, Samples (Spring Framework)). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and     14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of     Oracle WebLogic Server. (CVE-2022-22965)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (OWASP Enterprise Security API)). Supported versions that are affected are 12.2.1.3.0,     12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network     access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result     in takeover of Oracle WebLogic Server. (CVE-2022-23457)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (Apache Maven)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data     as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server     accessible data. (CVE-2021-26291)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Apache Maven project reports :

We received a report from Jonathan Leitschuh about a vulnerability of custom repositories in dependency POMs. We've split this up into three separate issues :

- Possible Man-In-The-Middle-Attack due to custom repositories using HTTP.

More and more repositories use HTTPS nowadays, but this hasn't always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with blocked parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning 'any external URL using HTTP'.

The decision was made to block such external HTTP repositories by default : this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.

- Possible Domain Hijacking due to custom repositories using abandoned domains

Sonatype has analyzed which domains were abandoned and has claimed these domains.

- Possible hijacking of downloads by redirecting to custom repositories

This one was the hardest to analyze and explain. The short story is :
you're safe, dependencies are only downloaded from repositories within their context. So there are two main questions: what is the context and what is the order? The order is described on the Repository Order page. The first group of repositories are defined in the settings.xml (both user and global). The second group of repositories are based on inheritence, with ultimately the super POM containing the URL to Maven Central. The third group is the most complex one but is important to understand the term context: repositories from the effective POMs from the dependency path to the artifact. So if a dependency was defined by another dependency or by a Maven project, it will also include their repositories. In the end this is not a bug, but a design feature.

ID	Name	Product	Family	Severity
199855	RHEL 9 : maven (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
199833	RHEL 8 : maven (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
194435	RHEL 8 : Jenkins and Jenkins-2-plugins (RHSA-2024:0778)	Nessus	Red Hat Local Security Checks	critical
194395	RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2024:0776)	Nessus	Red Hat Local Security Checks	critical
194295	RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3198)	Nessus	Red Hat Local Security Checks	critical
183177	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : Apache Maven vulnerability (USN-5245-1)	Nessus	Ubuntu Local Security Checks	critical
170078	Ubuntu 22.10 : Apache Maven vulnerability (USN-5805-1)	Nessus	Ubuntu Local Security Checks	critical
163298	Oracle WebLogic Server (Jul 2022 CPU)	Nessus	Misc.	critical
148748	FreeBSD : Apache Maven -- multiple vulnerabilities (20006b5f-a0bc-11eb-8ae6-fc4dd43e2b6a)	Nessus	FreeBSD Local Security Checks	critical

Detections

Analytics

CVE-2021-26291

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical