CVE-2013-0253 — Apache Maven vulnerability

CWE-167 documents6 sources

Severity

5.8MEDIUMNVD

EPSS

0.7%

top 26.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Maven Apache Maven

Timeline

PublishedApr 9

Latest updateMay 5

Description

The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

▶NVDapache/maven3.0.4

▶Ubuntujenkins/maven< 3.0.5-1

Patches

Patch: maven.apache.org ↗Patch: maven.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-33jw-8g2v-hrp6: The default configuration of Apache Maven 3↗2022-05-05

▶

OSV

CVE-2013-0253: The default configuration of Apache Maven 3↗2013-04-09

▶

CVEList

CVE-2013-0253: The default configuration of Apache Maven 3↗2013-04-09

▶

📋Vendor Advisories

Red Hat

maven-wagon: all SSL certificate checking is disabled by default↗2013-02-23

▶

💬Community

Bugzilla

CVE-2013-0253 maven: all SSL certificate checking is disabled by default [fedora-all]↗2013-03-01

▶

Bugzilla

CVE-2013-0253 maven-wagon: all SSL certificate checking is disabled by default↗2013-03-01

▶