CVE-2024-47197

{"id": "CVE-2024-47197", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-09-26T08:15:06.587", "references": [{"url": "https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96", "tags": ["Mailing List"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-922"}]}, {"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.\n\nThis issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.\n\nUsers are recommended to upgrade to version 3.3.0, which fixes the issue.\n\nArchetype integration testing creates a file\ncalled ./target/classes/archetype-it/archetype-settings.xml\nThis file contains all the content from the users ~/.m2/settings.xml file,\nwhich often contains information they do not want to publish. We expect that on many developer machines, this also contains\ncredentials.\n\nWhen the user runs mvn verify again (without a mvn clean), this file becomes part of\nthe final artifact.\n\nIf a developer were to publish this into Maven Central or any other remote repository (whether as a release\nor a snapshot) their credentials would be published without them knowing."}, {"lang": "es", "value": "Exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado, vulnerabilidad de almacenamiento inseguro de informaci\u00f3n confidencial en el complemento Maven Archetype. Este problema afecta al complemento Maven Archetype: desde la versi\u00f3n 3.2.1 hasta la 3.3.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 3.3.0, que soluciona el problema. Las pruebas de integraci\u00f3n de Archetype crean un archivo llamado ./target/classes/archetype-it/archetype-settings.xml. Este archivo contiene todo el contenido del archivo ~/.m2/settings.xml de los usuarios, que a menudo contiene informaci\u00f3n que no desean publicar. Esperamos que en muchas m\u00e1quinas de desarrolladores, esto tambi\u00e9n contenga credenciales. Cuando el usuario ejecuta mvn verificar nuevamente (sin un mvn clean), este archivo se convierte en parte del artefacto final. Si un desarrollador publicara esto en Maven Central o cualquier otro repositorio remoto (ya sea como una versi\u00f3n o una instant\u00e1nea), sus credenciales se publicar\u00edan sin que ellos lo supieran."}], "lastModified": "2024-10-02T17:25:36.990", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:maven_archetype:3.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A159A60A-09F5-49B5-A159-E530CACDA1B9"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}