Jenkins Maven vulnerabilities

CVE-2021-26291 [CRITICAL] CVE-2021-26291: Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting i Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is c

CVE-2019-16549 [HIGH] CWE-611 CVE-2019-16549: Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML ext Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents.

CVE-2019-16550 [HIGH] CWE-352 CVE-2019-16550: A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents.

CVE-2019-10358 [MEDIUM] CWE-532 CVE-2019-10358: Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log.

CVE-2017-1000397 [MEDIUM] CVE-2017-1000397: Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the v Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient.

CVE-2013-0253 [MEDIUM] CVE-2013-0253: The default configuration of Apache Maven 3 The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack.