CVE-2024-47197 – The Maven Archetype Plugin versions 3.2.1 throu... (How to Fix)

📋 TL;DR

The Maven Archetype Plugin versions 3.2.1 through 3.2.x expose sensitive credentials by copying the user's settings.xml file into test artifacts. This affects developers who use the plugin for archetype integration testing and publish artifacts without cleaning build directories, potentially leaking authentication credentials to public repositories.

💻 Affected Systems

Products:

Apache Maven Archetype Plugin

Versions: 3.2.1 through 3.2.x (before 3.3.0)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users performing archetype integration testing with mvn verify command without cleaning between builds.

📦 What is this software?

Maven Archetype by Apache

View all CVEs affecting Maven Archetype →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Developer credentials (including passwords, API keys, tokens) are published to public repositories like Maven Central, allowing attackers to compromise build systems, deploy malicious artifacts, or access private repositories.

🟠

Likely Case

Credentials accidentally exposed in snapshot or test artifacts, potentially discovered through repository scanning tools or manual inspection.

🟢

If Mitigated

No credential exposure occurs due to proper build hygiene or credential management practices.

🌐 Internet-Facing: HIGH - Published artifacts containing credentials are accessible to anyone with repository access.

🏢 Internal Only: MEDIUM - Internal artifact repositories could still expose credentials to unauthorized internal users.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires discovering published artifacts containing the leaked settings.xml file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.0

Vendor Advisory: https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96

Restart Required: No

Instructions:

1. Update Maven Archetype Plugin dependency to version 3.3.0 in pom.xml
2. Run mvn clean verify to ensure old artifacts are removed
3. Verify no settings.xml files exist in published artifacts

🔧 Temporary Workarounds

Always clean before verify

all

Run mvn clean before mvn verify to prevent accumulation of sensitive files

mvn clean verify

Exclude sensitive files from artifacts

all

Configure build to exclude archetype-settings.xml from final artifacts

Add appropriate exclusions to pom.xml build configuration

🧯 If You Can't Patch

Implement mandatory mvn clean before any verify operations in CI/CD pipelines
Scan all published artifacts for settings.xml files and revoke any exposed credentials

🔍 How to Verify

Check if Vulnerable:

Check if archetype-settings.xml exists in target/classes/archetype-it/ directory after running mvn verify without clean

Check Version:

mvn archetype:help | grep 'Apache Maven Archetype Plugin'

Verify Fix Applied:

After upgrading to 3.3.0, verify that archetype-settings.xml is no longer created in test artifacts

📡 Detection & Monitoring

Log Indicators:

Build logs showing archetype-settings.xml being created or included in artifacts

Network Indicators:

Artifact repository traffic containing settings.xml files

SIEM Query:

Search for file creation events matching '*archetype-settings.xml*' in build directories

📊 Metadata

CVE ID: CVE-2024-47197

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: September 26, 2024

Last Updated: March 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47197, you might also want to check these: