Hey Folks
If you weren’t already aware Apache Maven put out a 3.8.1 release to address a CVE this week: https://maven.apache.org/docs/3.8.1/release-notes.html https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736%40%3Cannounce.apache.org%3E This CVE relates to a possible supply chain poisoning attack if a Maven project directly (or indirectly via its plugins/dependencies) references insecure repositories (i.e. non-HTTPS repositories) Anyone working with Maven day to day should make sure they’ve upgraded their Maven installations both locally and within any CI/CD infrastructure you might be using (your corporate security teams at your $dayjob’s may already be chasing you about this) I haven’t seen any reports that this is being actively exploited but there has been a bunch of security research published lately about supply chain poisoning (e.g. https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 as a prominent example widely reported in the tech press) that suggests it’s best to be protected against these kinds of attacks Hope this helps, Rob Vesse
