← Back

Maven

maven

Vendor: Apache • 2 CVEs

CVEs (2)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2021-26291
3Apache
OracleQuarkus
4Financial Services Analytical Applications Infrastructure
Goldengate Big Data And Application AdaptersMaven+1 more
Nov 21, 2024
Apr 23, 2021
N/A· v4
9.1 CRITICAL· v3
6.4 MEDIUM· v2
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is...Show more
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.htmlShow less
CVE-2013-0253
1Apache
1Maven
Apr 29, 2026
Apr 9, 2013
N/A· v4
N/A· v3
5.8 MEDIUM· v2
The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack.