CVE-2024-47197

Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the issue. Archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains information they do not want to publish. We expect that on many developer machines, this also contains credentials. When the user runs mvn verify again (without a mvn clean), this file becomes part of the final artifact. If a developer were to publish this into Maven Central or any other remote repository (whether as a release or a snapshot) their credentials would be published without them knowing.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96	Mailing List
http://www.openwall.com/lists/oss-security/2024/09/26/2

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:maven_archetype:3.2.1:*:*:*:*:*:*:*

History

21 Nov 2024, 09:39

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/09/26/2 -

02 Oct 2024, 17:25

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:maven_archetype:3.2.1:::::::*
First Time		Apache maven Archetype Apache
References	~~() https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96 -~~	() https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96 - Mailing List
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

26 Sep 2024, 13:32

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-26 08:15

Updated : 2025-03-17 18:15

NVD link : CVE-2024-47197

Mitre link : CVE-2024-47197

CVE.ORG link : CVE-2024-47197

JSON object : View

Products Affected

apache

maven_archetype

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2024-47197", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-09-26T08:15:06.587", "references": [{"url": "https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/09/26/2", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-922"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.\n\nThis issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.\n\nUsers are recommended to upgrade to version 3.3.0, which fixes the issue.\n\nArchetype integration testing creates a file\ncalled ./target/classes/archetype-it/archetype-settings.xml\nThis file contains all the content from the users ~/.m2/settings.xml file,\nwhich often contains information they do not want to publish. We expect that on many developer machines, this also contains\ncredentials.\n\nWhen the user runs mvn verify again (without a mvn clean), this file becomes part of\nthe final artifact.\n\nIf a developer were to publish this into Maven Central or any other remote repository (whether as a release\nor a snapshot) their credentials would be published without them knowing."}, {"lang": "es", "value": "Exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado, vulnerabilidad de almacenamiento inseguro de informaci\u00f3n confidencial en el complemento Maven Archetype. Este problema afecta al complemento Maven Archetype: desde la versi\u00f3n 3.2.1 hasta la 3.3.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 3.3.0, que soluciona el problema. Las pruebas de integraci\u00f3n de Archetype crean un archivo llamado ./target/classes/archetype-it/archetype-settings.xml. Este archivo contiene todo el contenido del archivo ~/.m2/settings.xml de los usuarios, que a menudo contiene informaci\u00f3n que no desean publicar. Esperamos que en muchas m\u00e1quinas de desarrolladores, esto tambi\u00e9n contenga credenciales. Cuando el usuario ejecuta mvn verificar nuevamente (sin un mvn clean), este archivo se convierte en parte del artefacto final. Si un desarrollador publicara esto en Maven Central o cualquier otro repositorio remoto (ya sea como una versi\u00f3n o una instant\u00e1nea), sus credenciales se publicar\u00edan sin que ellos lo supieran."}], "lastModified": "2025-03-17T18:15:18.883", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:maven_archetype:3.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A159A60A-09F5-49B5-A159-E530CACDA1B9"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}