Apache Maven 3.0.4 Insecure SSL Mode

2013.02.26

Credit: Graham Leggett

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-0253

CWE: CWE-16

CVSS Base Score: 5.8/10

Impact Subscore: 4.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: None

CVE-2013-0253 Apache Maven
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Maven 3.0.4
- Apache Maven Wagon 2.1, 2.2, 2.3
Description:
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure
SSL mode by default. This mode disables all SSL certificate checking,
including: host name verification , date validity, and certificate
chain. Not validating the certificate introduces the possibility of a
man-in-the-middle attack.
All users are recommended to upgrade to Apache Maven 3.0.5 and Apache
Maven Wagon 2.4.
Credit
This issue was identified by Graham Leggett
--
The Apache Maven Team

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Apache Maven 3.0.4 Insecure SSL Mode

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.