Skip to main content

Maven

8 CVEs product

Monthly

CVE-2021-26291 Maven CRITICAL POC PATCH Act Now

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Information Disclosure Maven Quarkus Financial Services Analytical Applications Infrastructure +1
NVD
CVSS 3.1
9.1
EPSS
8.7%
CVE-2021-26719 MEDIUM This Month

A directory traversal issue was discovered in Gradle gradle-enterprise-test-distribution-agent before 1.3.2, test-distribution-gradle-plugin before 1.3.2, and gradle-enterprise-maven-extension before. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Enterprise Test Distribution Agent Maven Test Distribution
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-15777 Maven HIGH PATCH This Week

An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java RCE Privilege Escalation Deserialization Maven
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2019-16550 Maven HIGH PATCH This Week

A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Maven
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2019-16549 Maven HIGH PATCH This Week

Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Jenkins Maven
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2019-10358 Maven MEDIUM PATCH This Month

Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Maven
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2019-9843 Maven HIGH PATCH This Week

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Gradle Maven
NVD GitHub
CVSS 3.0
7.5
EPSS
1.5%
CVE-2013-0253 MEDIUM PATCH This Month

The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Apache Information Disclosure Maven
NVD
CVSS 2.0
5.8
EPSS
0.7%
EPSS 9% CVSS 9.1
CRITICAL POC PATCH Act Now

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Information Disclosure Maven +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A directory traversal issue was discovered in Gradle gradle-enterprise-test-distribution-agent before 1.3.2, test-distribution-gradle-plugin before 1.3.2, and gradle-enterprise-maven-extension before. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Enterprise Test Distribution Agent Maven +1
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java RCE Privilege Escalation +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Maven
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Jenkins Maven
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Maven
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Gradle Maven
NVD GitHub
EPSS 1% CVSS 5.8
MEDIUM PATCH This Month

The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Apache Information Disclosure Maven
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy