Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-26291 PoC — block repositories using http by default

Source
https://github.com/jpmartins/MinimalReproducer
Associated Vulnerability
Title:block repositories using http by default (CVE-2021-26291)
Description:Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
Description
Context of CVE-2021-26291 minimal replicator
Readme

After significant efforts, stripped it down to a minimal replicator.

This is just an empty project to demonstrate the issue with dependency-check-maven usage I am forced on doing by my company rules. 

Do check the pom.xml and do verify:

`mvn org.owasp:dependency-check-maven:RELEASE:aggregate`

Or if you have a NVD_API_KEY env var the faster:

`mvn org.owasp:dependency-check-maven:RELEASE:aggregate -DnvdApiKey=${NVD_API_KEY}`

And you will get a lot of them, including the:
...
[ERROR] maven-core-3.6.3.jar (pkg:maven/org.apache.maven/maven-core@3.6.3, cpe:2.3:a:apache:maven:3.6.3:*:*:*:*:*:*:*): CVE-2021-26291(9.1)
...

The "apparently" miss-leading [dependency-check-report.html](target/site/dependency-check/dependency-check-report.html) says:

    maven-core-3.6.3.jar
    Referenced In Project/Scope: test (plugins)
    Included by: pkg:maven/org.owasp/dependency-check-maven@12.1.0 (plugins)

The issue originates from the company imposed (huge) parent pom with mandatory, with configuration:

    <failBuildOnCVSS>7</failBuildOnCVSS>
    <scanPlugins>true</scanPlugins>

There is no explicit reference to maven-core 3.6.3 anywhere on my company parent pom or its dependencies. The following returns nothing:

```bash
mvn help:effective-pom | grep 3.6.3
```
File Snapshot

 [4.0K]  /data/pocs/38f66a3c2cef10094e1e9aee4e7a1f6baf0f8e52
├── [1.2K]  README.md
└── [4.0K]  target
    └── [4.0K]  site
        └── [4.0K]  dependency-check
            ├── [407K]  dependency-check-gitlab.json
            ├── [902K]  dependency-check-jenkins.html
            ├── [141K]  dependency-check-junit.xml
            ├── [ 94K]  dependency-check-report.csv
            ├── [2.4M]  dependency-check-report.html
            ├── [1.8M]  dependency-check-report.json
            ├── [282K]  dependency-check-report.sarif
            └── [2.1M]  dependency-check-report.xml

3 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →