Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Apache Maven uses insecure repositories by default
Exploitation likelihood: 46%
GHSA-2f88-5hg8-9x2x
CVE-2021-26291
BIT-maven-2021-26291
Summary
Apache Maven may accidentally use unsecured repositories, which could let an attacker take control or pretend to be a trusted repository. This is fixed in Apache Maven versions 3.8.1 and later. If you use a repository manager, you're not affected by this.
What to do
- Update org.apache.maven:maven-compat to version 3.8.1.
- Update org.apache.maven:maven-core to version 3.8.1.
- Update maven to version 3.8.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | org.apache.maven:maven-compat | <= 3.8.1 | 3.8.1 |
| – | org.apache.maven:maven-core | <= 3.8.1 | 3.8.1 |
| apache | maven | <= 3.8.1 | – |
| quarkus | quarkus | <= 1.13.5 | – |
| oracle | financial_services_analytical_applications_infrastructure | > 8.0.6.0.0 , <= 8.0.9.0.0 | – |
| oracle | financial_services_analytical_applications_infrastructure | > 8.1.0.0.0 , <= 8.1.2.0 | – |
| oracle | goldengate_big_data_and_application_adapters | 23.1 | – |
| – | maven | <= 3.8.1 | 3.8.1 |
Original title
block repositories using http by default
Original description
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
ghsa CVSS3.1
9.1
Vulnerability type
CWE-346
- https://nvd.nist.gov/vuln/detail/CVE-2021-26291
- http://www.openwall.com/lists/oss-security/2021/04/23/5
- https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee...
- https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa...
- https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5...
- https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3...
- https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba9746...
- https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18c...
- https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57b...
- https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c...
- https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e376...
- https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b2...
- https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a...
- https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8...
- https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdb...
- https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4d...
- https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe...
- https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867...
- https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c2520...
- https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e3...
- https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdf...
- https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907b...
- https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef...
- https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c...
- https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e1...
- https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33...
- https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf3...
- https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f65658...
- https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf...
- https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87...
- https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb600869...
- https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94...
- https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6b...
- https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32...
- https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb5584...
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/apache/maven/commit/899465aeec03753ea91e15a79579eab76369c016
- https://github.com/apache/maven/commit/fa79cb22e456cc65522b5bab8c4240fe08c5775f
- https://issues.apache.org/jira/browse/MNG-7116
- https://issues.apache.org/jira/browse/MNG-7117
- https://maven.apache.org/docs/3.8.1/release-notes.html
- https://github.com/advisories/GHSA-2f88-5hg8-9x2x
- https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee...
- https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d...
- https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4d...
- https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe...
- https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba9746...
- https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867...
- https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c2520...
- https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdb...
- https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e3...
- https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdf...
- https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18c...
- https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57b...
- https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c...
- https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa...
- https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907b...
- https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef...
- https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c...
- https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e376...
- https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e1...
- https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b2...
- https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33...
- https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf3...
- https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cd...
- https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d625...
- https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7cae...
- https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f65658...
- https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5...
- https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf...
- https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168...
- https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87...
- https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb600869...
- https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a...
- https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94...
- https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6b...
- https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8...
- https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32...
- https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb5584...
- https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3...
- https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d...
- https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9...
- https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9...
- https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cd...
- https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d625...
- https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7cae...
- https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168...
- https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-...
- https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-... URL
- https://github.com/apache/maven Product
Published: 10 Mar 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026