Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2021-26291

Disclosure Date: April 23, 2021
CVE-2021-26291 CVSS v3 Base Score: 9.1
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
9.1 Critical
Impact Score:
5.2
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Apache Maven 3.8.1
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apache,
  • oracle,
  • quarkus

Products

  • financial services analytical applications infrastructure,
  • goldengate big data and application adapters 23.1,
  • maven,
  • quarkus

References

Canonical
CVE-2021-26291 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26291)
Advisory
https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E
[maven-dev] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default (https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c@%3Cdev.maven.apache.org%3E)
[maven-users] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default (https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00@%3Cusers.maven.apache.org%3E)
[oss-security] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default (http://www.openwall.com/lists/oss-security/2021/04/23/5)
[announce] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default (https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736@%3Cannounce.apache.org%3E)
[jena-dev] 20210428 FYI: Maven CVE-2021-26291 (https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457@%3Cdev.jena.apache.org%3E)
[jena-dev] 20210429 Re: FYI: Maven CVE-2021-26291 (https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381@%3Cdev.jena.apache.org%3E)
[myfaces-dev] 20210506 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix (https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E)
[kafka-jira] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 (https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288@%3Cjira.kafka.apache.org%3E)
[kafka-dev] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 (https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265@%3Cdev.kafka.apache.org%3E)
[kafka-jira] 20210520 [GitHub] [kafka] dongjinleekr opened a new pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291 (https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52@%3Cjira.kafka.apache.org%3E)
[kafka-jira] 20210520 [jira] [Assigned] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 (https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40@%3Cjira.kafka.apache.org%3E)
[kafka-jira] 20210521 [GitHub] [kafka] omkreddy merged pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291 (https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61@%3Cjira.kafka.apache.org%3E)
[kafka-dev] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 (https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6@%3Cdev.kafka.apache.org%3E)
[kafka-commits] 20210521 [kafka] branch 2.6 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291 (https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a@%3Ccommits.kafka.apache.org%3E)
[kafka-commits] 20210521 [kafka] branch 2.8 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291 (https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a@%3Ccommits.kafka.apache.org%3E)
[kafka-jira] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 (https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e@%3Cjira.kafka.apache.org%3E)
[kafka-commits] 20210521 [kafka] branch 2.7 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291 (https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002@%3Ccommits.kafka.apache.org%3E)
[kafka-users] 20210617 vulnerabilities (https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E)
[karaf-issues] 20210718 [jira] [Created] (KARAF-7224) Impact of CVE-2021-26291 on Karaf (https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210718 [jira] [Created] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291 (https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210719 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf (https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7224) Impact of CVE-2021-26291 on Karaf (https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291 (https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210720 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf (https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f@%3Cissues.karaf.apache.org%3E)
[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 opened a new pull request #11562: suppress CVE-2021-26291 on kafka-clients (https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b@%3Ccommits.druid.apache.org%3E)
[kafka-jira] 20210809 [jira] [Commented] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291 (https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478@%3Cjira.kafka.apache.org%3E)
[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 merged pull request #11562: suppress CVE-2021-26291 on kafka-clients (https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b@%3Ccommits.druid.apache.org%3E)
[druid-commits] 20210809 [GitHub] [druid] jihoonson commented on pull request #11562: suppress CVE-2021-26291 on kafka-clients (https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0@%3Ccommits.druid.apache.org%3E)
[karaf-issues] 20210810 [jira] [Created] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052 (https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210810 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052 (https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210810 [jira] [Commented] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052 (https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052 (https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.69 artifacts to mitigate CVE-2020-28052 (https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210817 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052 (https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210817 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052 (https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210820 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052 (https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210824 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052 (https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402@%3Cissues.karaf.apache.org%3E)
[karaf-issues] 20210824 [jira] [Resolved] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052 (https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c@%3Cissues.karaf.apache.org%3E)
Miscellaneous
https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5@%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac@%3Cdev.kafka.apache.org%3E
https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis