13898 2023-10-18 20:28:38 +0300 [CVE 21] maven 3.5.4 CVEs found 2024-01-17 17:38:47 +0300 1 1 2 ROSA-based products ROSA Fresh System (kernel, glibc, systemd, bash, PAM...) All All Linux RESOLVED WONTFIX CVE-2021-26291, CVE-2021-26719, Highest blocker --- 1 y.tumanov bugs e.kosachev s.matveev v.potapov y.tumanov 2021.1 oldest_to_newest 69786 0 y.tumanov 2023-10-18 20:28:38 +0300 Please patch CVEs for package maven version 3.5.4 INFO (CVEs are): maven 3.5.4 cves found CVE-2021-26291 Desc: Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html Link: https://nvd.nist.gov/vuln/detail/CVE-2021-26291 Severity: CRITICAL CVE-2021-26719 Desc: A directory traversal issue was discovered in Gradle gradle-enterprise-test-distribution-agent before 1.3.2, test-distribution-gradle-plugin before 1.3.2, and gradle-enterprise-maven-extension before 1.8.2. A malicious actor (with certain credentials) can perform a registration step such that crafted TAR archives lead to extraction of files into arbitrary filesystem locations. Link: https://nvd.nist.gov/vuln/detail/CVE-2021-26719 Severity: MEDIUM 70279 1 v.potapov 2023-10-20 17:56:14 +0300 *** Bug 13766 has been marked as a duplicate of this bug. *** 71888 2 v.potapov 2024-01-11 05:53:02 +0300 *** Bug 13273 has been marked as a duplicate of this bug. *** 72076 3 v.potapov 2024-01-15 15:18:12 +0300 CVE-2021-26719 не от этого проекта 72165 4 v.potapov 2024-01-17 17:38:47 +0300 minor issue https://security-tracker.debian.org/tracker/CVE-2021-26291