Vulnerabilites related to apache - maven_archetype
Vulnerability from fkie_nvd
Published
2024-09-26 08:15
Modified
2025-03-17 18:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.
This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.
Users are recommended to upgrade to version 3.3.0, which fixes the issue.
Archetype integration testing creates a file
called ./target/classes/archetype-it/archetype-settings.xml
This file contains all the content from the users ~/.m2/settings.xml file,
which often contains information they do not want to publish. We expect that on many developer machines, this also contains
credentials.
When the user runs mvn verify again (without a mvn clean), this file becomes part of
the final artifact.
If a developer were to publish this into Maven Central or any other remote repository (whether as a release
or a snapshot) their credentials would be published without them knowing.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | maven_archetype | 3.2.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:maven_archetype:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A159A60A-09F5-49B5-A159-E530CACDA1B9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.\n\nThis issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.\n\nUsers are recommended to upgrade to version 3.3.0, which fixes the issue.\n\nArchetype integration testing creates a file\ncalled ./target/classes/archetype-it/archetype-settings.xml\nThis file contains all the content from the users ~/.m2/settings.xml file,\nwhich often contains information they do not want to publish. We expect that on many developer machines, this also contains\ncredentials.\n\nWhen the user runs mvn verify again (without a mvn clean), this file becomes part of\nthe final artifact.\n\nIf a developer were to publish this into Maven Central or any other remote repository (whether as a release\nor a snapshot) their credentials would be published without them knowing."
},
{
"lang": "es",
"value": "Exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado, vulnerabilidad de almacenamiento inseguro de informaci\u00f3n confidencial en el complemento Maven Archetype. Este problema afecta al complemento Maven Archetype: desde la versi\u00f3n 3.2.1 hasta la 3.3.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 3.3.0, que soluciona el problema. Las pruebas de integraci\u00f3n de Archetype crean un archivo llamado ./target/classes/archetype-it/archetype-settings.xml. Este archivo contiene todo el contenido del archivo ~/.m2/settings.xml de los usuarios, que a menudo contiene informaci\u00f3n que no desean publicar. Esperamos que en muchas m\u00e1quinas de desarrolladores, esto tambi\u00e9n contenga credenciales. Cuando el usuario ejecuta mvn verificar nuevamente (sin un mvn clean), este archivo se convierte en parte del artefacto final. Si un desarrollador publicara esto en Maven Central o cualquier otro repositorio remoto (ya sea como una versi\u00f3n o una instant\u00e1nea), sus credenciales se publicar\u00edan sin que ellos lo supieran."
}
],
"id": "CVE-2024-47197",
"lastModified": "2025-03-17T18:15:18.883",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-26T08:15:06.587",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2024/09/26/2"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-922"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-922"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-47197 (GCVE-0-2024-47197)
Vulnerability from cvelistv5
Published
2024-09-26 08:01
Modified
2025-03-17 17:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.
This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.
Users are recommended to upgrade to version 3.3.0, which fixes the issue.
Archetype integration testing creates a file
called ./target/classes/archetype-it/archetype-settings.xml
This file contains all the content from the users ~/.m2/settings.xml file,
which often contains information they do not want to publish. We expect that on many developer machines, this also contains
credentials.
When the user runs mvn verify again (without a mvn clean), this file becomes part of
the final artifact.
If a developer were to publish this into Maven Central or any other remote repository (whether as a release
or a snapshot) their credentials would be published without them knowing.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Maven Archetype Plugin |
Version: 3.2.1 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-26T13:07:57.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/26/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-47197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T17:35:38.739445Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T17:36:10.410Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.maven.plugins:maven-archetype-plugin",
"product": "Maven Archetype Plugin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.3.0",
"status": "affected",
"version": "3.2.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Niels Basjes"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eExposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.\u003c/p\u003e\u003cp\u003eThis issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.3.0, which fixes the issue.\u003c/p\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eArchetype integration testing creates a file\ncalled ./target/classes/archetype-it/archetype-settings.xml\nThis file contains all the content from the users ~/.m2/settings.xml file,\nwhich often contains information they do not want to publish. We expect that on many developer machines, this also contains\ncredentials.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen the user runs \u003c/span\u003e\u003c/span\u003e\u003ctt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emvn verify\u003c/span\u003e\u003c/span\u003e\u003c/tt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e again (without a \u003c/span\u003e\u003c/span\u003e\u003ctt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emvn clean\u003c/span\u003e\u003c/span\u003e\u003c/tt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e), this file becomes part of\nthe final artifact.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIf a developer were to publish this into Maven Central or any other remote repository (whether as a release\nor a snapshot) their credentials would be published without them knowing.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.\n\nThis issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.\n\nUsers are recommended to upgrade to version 3.3.0, which fixes the issue.\n\nArchetype integration testing creates a file\ncalled ./target/classes/archetype-it/archetype-settings.xml\nThis file contains all the content from the users ~/.m2/settings.xml file,\nwhich often contains information they do not want to publish. We expect that on many developer machines, this also contains\ncredentials.\n\nWhen the user runs mvn verify again (without a mvn clean), this file becomes part of\nthe final artifact.\n\nIf a developer were to publish this into Maven Central or any other remote repository (whether as a release\nor a snapshot) their credentials would be published without them knowing."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T08:01:24.486Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96"
}
],
"source": {
"defect": [
"ARCHETYPE-657"
],
"discovery": "INTERNAL"
},
"title": "Maven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-47197",
"datePublished": "2024-09-26T08:01:24.486Z",
"dateReserved": "2024-09-20T20:04:10.889Z",
"dateUpdated": "2025-03-17T17:36:10.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}