Description

Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the issue. Archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains information they do not want to publish. We expect that on many developer machines, this also contains credentials. When the user runs mvn verify again (without a mvn clean), this file becomes part of the final artifact. If a developer were to publish this into Maven Central or any other remote repository (whether as a release or a snapshot) their credentials would be published without them knowing.

INFO

Published Date :

2024-09-26T08:01:24.486Z

Last Modified :

2025-03-17T17:36:10.410Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2024-47197 vulnerability.

Vendors Products
Apache
  • Maven Archetype
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-47197.

URL Resource
http://www.openwall.com/lists/oss-security/2024/09/26/2 cve-icon
https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-47197 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-47197 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact