Password in Maven settings.xml
ID |
maven_server_password |
Severity |
critical |
Vendor |
Apache Maven |
Family |
Password |
Description
Passwords for Maven registries with authentication could be specified in the settings.xml configuration file.
This detector looks for:
-
passwords for Maven servers (entry
<password>under<server>entries), -
pass-phrases for private SSH keys used for ssh authentication (entry
<passphrase>under<server>entries), or -
passwords used in basic authentication with proxy servers in
<proxy>entries.
Security
Any hardcoded password, when leaked, may lead to a bad actor publishing a malicious library that could be installed during the build process.
Such malicious library could exfiltrate sensitive information, install a remote access troyan, or execute unintended actions further compromising the environment where the system built is deployed.
Examples
<settings>
<servers>
<server>
<id>siteServer-pass2</id>
<username>repouser</username>
<!-- secret leak -->
<password>P4zzw0rk leaked!</password>
</server>
</servers>
</settings>
To fix, replace the clear-text password with the encrypted version, as documented in Maven Password Encryption:
<settings>
<servers>
<server>
<id>siteServer-pass2</id>
<username>repouser</username>
<!-- Encrypted password -->
<password>{oyka1WTGSR0HE0mwMAqJYYQgr3SME3Jf...}</password>
</server>
</servers>
</settings>
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s).
-
Check in the registry logs for unintended accesses to the registry. In particular, look for write operations that unintended actors might be done during the exposure window, as they could convey malicious libraries, or referencing indirectly (as dependencies in pom.xml) other malicious libraries.
-
Replace the leaked password with the new, renewed, password in encrypted form. You may follow the guidelines from Maven Password Encryption.