CVE-2021-26291
Dependency Confusion vulnerability in maven-compat (Maven)
What is CVE-2021-26291 About?
This vulnerability in Apache Maven involves dependency confusion where malicious actors can take over or impersonate repositories. This may lead to the introduction of malicious code into builds, potentially compromising the integrity of software. Exploitation requires control over a repository or the ability to intercept repository communication.
Affected Software
- org.apache.maven:maven-compat
- <3.8.1
- org.apache.maven:maven-core
- <3.8.1
Technical Details
Apache Maven versions prior to 3.8.1 are configured to implicitly follow repository definitions found within a dependency's Project Object Model (POM). This behavior, while intended for convenience, creates a vulnerability if the specified repository is compromised or spoofed. An attacker could take control of a repository referenced in a POM, or position themselves to act as that repository (e.g., via DNS spoofing or man-in-the-middle attacks), and serve malicious artifacts to a build process. The vulnerability is particularly pronounced when using non-SSL (HTTP) repository references, as these lack integrity and authenticity protections, making spoofing easier. Maven's default behavior was changed in version 3.8.1+ to no longer follow HTTP repository references by default, mitigating this risk. Users employing repository managers governing all build repositories are typically unaffected.
What is the Impact of CVE-2021-26291?
Successful exploitation may allow attackers to inject arbitrary code, compromise the build process, and lead to supply chain attacks or the distribution of malicious software.
What is the Exploitability of CVE-2021-26291?
Exploitation complexity is moderate, requiring an attacker to either compromise a legitimate repository or intercept network traffic to masquerade as one. No direct authentication to the build system is required for the initial attack, but control over the repository infrastructure is necessary. This vulnerability primarily affects remote repositories and builds. A key factor increasing exploitability is the continued use of unencrypted HTTP repository references, as these are easier to spoof or intercept. Organizations not using a repository manager to gate external dependencies are at higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| jpmartins | Link | Context of CVE-2021-26291 minimal replicator |
What are the Available Fixes for CVE-2021-26291?
Available Upgrade Options
- org.apache.maven:maven-compat
- <3.8.1 → Upgrade to 3.8.1
- org.apache.maven:maven-core
- <3.8.1 → Upgrade to 3.8.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-2f88-5hg8-9x2x
- https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5%40%3Cdev.kafka.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/
What are Similar Vulnerabilities to CVE-2021-26291?
Similar Vulnerabilities: CVE-2021-22927 , CVE-2021-22929 , CVE-2021-22876 , CVE-2021-39130 , CVE-2021-39131
