[jira] [Resolved] (KARAF-7224) Impact of CVE-2021-26291 on Karaf

Jira Mon, 13 Dec 2021 22:42:18 -0800


     [ 
https://issues.apache.org/jira/browse/KARAF-7224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jean-Baptiste Onofré resolved KARAF-7224.
-----------------------------------------
    Resolution: Invalid

> Impact of CVE-2021-26291 on Karaf
> ---------------------------------
>
>                 Key: KARAF-7224
>                 URL: https://issues.apache.org/jira/browse/KARAF-7224
>             Project: Karaf
>          Issue Type: Question
>          Components: karaf
>    Affects Versions: 4.3.2
>            Reporter: Karthick
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>
> The CVE-2021-26291 reports about maven version lesser than 3.8.1 is 
> vulnerable to XRI attacks where malicious attacker can imitate a repository. 
> Apache Karaf 4.3.2 includes pax-url-aether which packs Maven artifacts of 
> version 3.6.x. So the CVE impacts Karaf 4.3.2. But does the issue specified 
> in the CVE like maven pulling dependencies from remote directories really 
> affect Karaf during runtime? Is it possible that a PoC has been done to 
> validate this impact on Karaf?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (KARAF-7224) Impact of CVE-2021-26291 on Karaf

Reply via email to