[KARAF-7224] Impact of CVE-2021-26291 on Karaf - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Question
Status: Resolved
Priority: Major
Resolution: Invalid
Affects Version/s: 4.3.2
Fix Version/s: None
Component/s: karaf
Labels:
None

Description

The CVE-2021-26291 reports about maven version lesser than 3.8.1 is vulnerable to XRI attacks where malicious attacker can imitate a repository. Apache Karaf 4.3.2 includes pax-url-aether which packs Maven artifacts of version 3.6.x. So the CVE impacts Karaf 4.3.2. But does the issue specified in the CVE like maven pulling dependencies from remote directories really affect Karaf during runtime? Is it possible that a PoC has been done to validate this impact on Karaf?

Attachments

Activity

People

Assignee:: Jean-Baptiste Onofré

Reporter:: Karthick

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 18/Jul/21 07:35

Updated:: 14/Dec/21 06:43

Resolved:: 14/Dec/21 06:41