Java Mailing List Archive

http://www.java2.5341.com/

Home » Maven Announcements »

[SECURITY] CVE-2013-0253 Apache Maven 3.0.4

Olivier Lamy

2013-02-23


Author LoginPost Reply
VE-2013-0253 Apache Maven

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Maven 3.0.4
- Apache Maven Wagon 2.1, 2.2, 2.3

Description:
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure
SSL mode by default. This mode disables all SSL certificate checking,
including: host name verification , date validity, and certificate
chain. Not validating the certificate introduces the possibility of a
man-in-the-middle attack.

All users are recommended to upgrade to Apache Maven 3.0.5 and Apache
Maven Wagon 2.4.

Credit
This issue was identified by Graham Leggett

--
The Apache Maven Team
©2008 java2.5341.com - Jax Systems, LLC, U.S.A.