Research Shows Over 100,000 Libraries Affected By Maven Vulnerability CVE-2021-26291
I disclosed CVE-2021-26291, a vulnerability in the Java build tool Apache Maven. The vulnerability affects over 100,000 libraries in Maven Central.
Jonathan Leitschuh is a Security Software Engineer and Security Researcher currently working for the JVM build tool company Gradle Inc. Jonathan is best known for the July 2019 Zoom Video Conferencing 0-Day Vulnerability. He also championed an industry-wide initiative to formally decommission the support of HTTP in favor of HTTPS only support by major artifact servers in the JVM ecosystem. He has a degree in Robotics and Computer Science from Worcester Polytechnic Institute. He enjoys finding security vulnerabilities in OSS in his free time as well as contributing to the GitHub Security Lab Bug Bounty Program. He's a strong proponent for security researchers having and enforcing vulnerability disclosure policies.