You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Brent Shikoski (Jira)" <ji...@apache.org> on 2022/10/07 21:03:00 UTC

[jira] [Commented] (MWAR-456) Latest maven-war-plugin causing vulnerable .jars to be downloaded

    [ https://issues.apache.org/jira/browse/MWAR-456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17614257#comment-17614257 ] 

Brent Shikoski commented on MWAR-456:
-------------------------------------

I don't know about plexus-utils-2.0.5, but maven-shared-utils-3.2.1.jar is obviously a direct dependency in maven-war-plugin version 3.3.2.
[https://github.com/apache/maven-war-plugin/blob/maven-war-plugin-3.3.2/pom.xml]
[https://maven.apache.org/plugins/maven-war-plugin/dependencies.html]

 

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29599]
https://issues.apache.org/jira/browse/MSHARED-297

> Latest maven-war-plugin causing vulnerable .jars to be downloaded
> -----------------------------------------------------------------
>
>                 Key: MWAR-456
>                 URL: https://issues.apache.org/jira/browse/MWAR-456
>             Project: Maven WAR Plugin
>          Issue Type: Bug
>    Affects Versions: 3.3.2
>         Environment: Linux, Windows
>            Reporter: Joseph Angotti
>            Priority: Blocker
>             Fix For: waiting-for-feedback
>
>         Attachments: Console-Log-Edit.JPG
>
>   Original Estimate: 60h
>  Remaining Estimate: 60h
>
> We are planning to upgrade our project's parent pom.xml file to use maven-war-plugin 3.3.2, which is the latest version, but somehow it is causing 2 vulnerable .jar files, plexus-utils-2.0.5.jar, and maven-shared-utils-3.2.1.jar, to download from our JFrog Artifactory repository when it shouldn't be. Other versions of the maven-war-plugin seem to result in the same issue.
> Is there someone available who can assist with this issue as soon as possible? Our development efforts are currently blocked because of this issue. We need to be able to upgrade to the latest version of the maven-war-plugin and prevent vulnerable .jar files from being downloaded as soon as possible before our remediation deadline in a few weeks. Thank you (see the maven console logs attached for more details).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)