USN-5805-1: Apache Maven vulnerability
Publication date
16 January 2023
Overview
Apache Maven could be made to crash or run programs if it received specially crafted input.
Releases
Packages
- maven - Java software project management and comprehension tool
Details
It was discovered that Apache Maven followed repositories that are defined
in a dependency’s Project Object Model (pom) even if the repositories
weren’t encryptedh (http protocol). An attacker could use this
vulnerability to take over a repository, execute arbitrary code or cause a
denial of service.
It was discovered that Apache Maven followed repositories that are defined
in a dependency’s Project Object Model (pom) even if the repositories
weren’t encryptedh (http protocol). An attacker could use this
vulnerability to take over a repository, execute arbitrary code or cause a
denial of service.
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
Ubuntu Release | Package Version | ||
---|---|---|---|
22.10 kinetic | maven – 3.6.3-5ubuntu1.1 | ||
libmaven3-core-java – 3.6.3-5ubuntu1.1 |
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.