The Apache Maven project reports:
We received a report from Jonathan Leitschuh about a vulnerability
of custom repositories in dependency POMs. We've split this up
into three separate issues:
- Possible Man-In-The-Middle-Attack due to custom repositories
using HTTP.
More and more repositories use HTTPS nowadays, but this
hasn't always been the case. This means that Maven Central contains
POMs with custom repositories that refer to a URL over HTTP. This
makes downloads via such repository a target for a MITM attack. At
the same time, developers are probably not aware that for some
downloads an insecure URL is being used. Because uploaded POMs to
Maven Central are immutable, a change for Maven was required. To
solve this, we extended the mirror configuration with blocked
parameter, and we added a new external:http:* mirror selector (like
existing external:*), meaning "any external URL using HTTP".
The decision was made to block such external HTTP repositories by default:
this is done by providing a mirror in the conf/settings.xml blocking
insecure HTTP external URLs.
- Possible Domain Hijacking due to custom repositories using abandoned
domains
Sonatype has analyzed which domains were abandoned and has claimed these
domains.
- Possible hijacking of downloads by redirecting to custom repositories
This one was the hardest to analyze and explain. The short story is:
you're safe, dependencies are only downloaded from repositories within
their context. So there are two main questions: what is the context and
what is the order? The order is described on the Repository Order page.
The first group of repositories are defined in the settings.xml (both user
and global). The second group of repositories are based on inheritence,
with ultimately the super POM containing the URL to Maven Central. The
third group is the most complex one but is important to understand the
term context: repositories from the effective POMs from the dependency
path to the artifact. So if a dependency was defined by another dependency
or by a Maven project, it will also include their repositories. In the end
this is not a bug, but a design feature.