Unintended Publishing of Sensitive Information in Maven Artifact
CVE-2024-47197

7.5HIGH

Key Information:

Vendor: Apache
Status: Maven Archetype Plugin
Vendor: CVE Published:; 26 September 2024

Summary

A vulnerability has been identified in the Maven Archetype Plugin, where sensitive information may be exposed to unauthorized actors due to insecure storage practices. Specifically, the plugin creates an 'archetype-settings.xml' file under './target/classes/archetype-it/' during integration testing. This file inadvertently includes the complete contents of the user's '~/.m2/settings.xml' file, which often contains sensitive data, such as user credentials. If the user subsequently executes the 'mvn verify' command without running 'mvn clean', this sensitive file can be bundled into the final artifact. As a result, developers may unintentionally publish their credentials to Maven Central or other repositories, compromising their security. It is strongly recommended to upgrade to version 3.3.0 of the Maven Archetype Plugin, which addresses this vulnerability.

Affected Version(s)

Maven Archetype Plugin 3.2.1 < 3.3.0

References

https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvg...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 26, 2024
Vulnerability Reserved
Sep 20, 2024

Credit

Niels Basjes