Details
-
Bug
-
Status: Closed (View Workflow)
-
TBD
-
Resolution: Done
-
None
-
Bienenvolk
Description
Task:
Replace http by https for maven.k-int.com, fixing MitM vulnerability
Steps to Reproduce:
https://github.com/folio-org/mod-agreements/blob/v4.0.1/service/build.gradle#L32
https://github.com/folio-org/mod-service-interaction/blob/8e75dd35b3c064c4d0e161c859d28417fc77ce17/service/build.gradle#L50
https://github.com/folio-org/mod-service-interaction/blob/8e75dd35b3c064c4d0e161c859d28417fc77ce17/service/build.gradle#L54
https://github.com/folio-org/mod-licenses/blob/v3.1.0/service/build.gradle#L32
contain this entry:
repositories {
...
maven { url "http://maven.k-int.com/content/repositories/releases" }
}
Unencrypted http is used.
This allows an attacker to run a Machine-in-the-Middle (MitM) attack that replaces the content by malware.
Such attacks against unencrypted maven repositories are well-known since 2019:
https://github.com/github/securitylab/issues/21
For this reason maven disabled unencrypted http by default since 2021:
https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
TestRail: Results
Attachments
Issue Links
- is blocked by
-
-
- Closed
-
- relates to
-
FOLIO-3106 Update Index Data maven repo url
-
- Closed
-