Apache Software Foundation Apache Maven vulnerabilities

CVE-2022-29599 [CRITICAL] CWE-116 CVE-2022-29599: In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quo In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

CVE-2021-26291 [CRITICAL] CWE-346 CVE-2021-26291: Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to n