Search code examples

Java CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar

Small question regarding CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar please.

On a very simple project, which pom file below (please feel free to copy paste)

Maven versin is: Apache Maven 3.6.3

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns=""









I am running a static analysis which will find CVEs.

In my case, the CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar was found.

Quite surprised about the result, because I am not using any of those maven core jars.

I then run the command mvn clean install dependency:tree -X in order to troubleshoot the issue. (Please feel free to run the same, issue is 100% reproducible)

It seems from the three:

[INFO] --- jacoco-maven-plugin:0.8.7:prepare-agent (default) @ cvequestion ---
[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=146555, ConflictMarker.markTime=114395, ConflictMarker.nodeCount=94, ConflictIdSorter.graphTime=72340, ConflictIdSorter.topsortTime=57819, ConflictIdSorter.conflictIdCount=40, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=852861, ConflictResolver.conflictItemCount=87, DefaultDependencyCollector.collectTime=267858813, DefaultDependencyCollector.transformTime=1327133}
[DEBUG] org.jacoco:jacoco-maven-plugin:jar:0.8.7
[DEBUG]    org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG]       org.apache.maven:maven-model:jar:3.0:compile
[DEBUG]       org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG]       org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG]          org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG]             org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
[DEBUG]    org.apache.maven:maven-core:jar:3.0:compile

What I tried to do, is even to add the latest maven core 3.8.5 (latest as of this writing March 2022), in both the plugin and dependency block of the pom, but still seeing those two particular versions, as well as the CVEs.

May I ask, why are they in my dependency please?

Most of all, how do I fix this technical issue please?

Thank you


  • The real problem in this case is that those scanning tools analysing the plugins as well which is simply wrong, because they become not part of the resulting artifacts. Also does the usage (defining as a dependency of plugin) of an artifact maven-core has not the same consequence as using Maven (3.0.5) on command line.

    The reported issue is releated to org.apache.maven:maven-core:jar:3.0:compile which is needed as a dependency by a plugin to define the api (more accurate: org.apache.maven:maven-plugin-api:jar:3.0:compile) which defines the lowest version of Maven the plugin will support.

    The reported CVE is related to the problem that if a pom file contains a repository which has http instead of https which can be used to introduce some malicious artifacts. This has been fixed by Maven 3.8.2+ but it is unrelated to the usage of maven-core/maven-plugin-api as artifacts for plugin development.