VE-2013-0253 Apache Maven



Severity: Medium



Vendor: The Apache Software Foundation



Versions Affected:

- Apache Maven 3.0.4

- Apache Maven Wagon 2.1, 2.2, 2.3



Description:

Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure

SSL mode by default. This mode disables all SSL certificate checking,

including: host name verification , date validity, and certificate

chain. Not validating the certificate introduces the possibility of a

man-in-the-middle attack.



All users are recommended to upgrade to Apache Maven 3.0.5 and Apache

Maven Wagon 2.4.



Credit

This issue was identified by Graham Leggett



--

The Apache Maven Team

