Details
-
Question
-
Status: Resolved
-
Major
-
Resolution: Invalid
-
4.3.2
-
None
-
None
Description
The CVE-2021-26291 reports about maven version lesser than 3.8.1 is vulnerable to XRI attacks where malicious attacker can imitate a repository. Apache Karaf 4.3.2 includes pax-url-aether which packs Maven artifacts of version 3.6.x. So the CVE impacts Karaf 4.3.2. But does the issue specified in the CVE like maven pulling dependencies from remote directories really affect Karaf during runtime? Is it possible that a PoC has been done to validate this impact on Karaf?