CVE-2021-26291: Apache Maven: block repositories using http by default Key Information: - Vulnerability: Apache Maven may follow repositories defined in a dependency's pom file, which could allow malicious actors to insert themselves into a vulnerable position to modify these repositories. - Mitigation: Maven 3.8.1 changes the default behavior to not follow http repositories by default. - Resolved Issues: - A new parameter is added to the mirror section in settings.xml ( ) to define a url that should never be accessed. - A pattern ( ) is added to the mirrorOf field to block http repositories by default. - An entry is added to the default settings.xml to block all http repositories by default. - Additional Information: The document includes links to detailed release notes and more info on repository management.