Skip to main content

Javadoc security issue and maven.java.net server

No replies
dhirup
Offline
Joined: 2004-04-15
Points: 0

Many of you must be aware of the Javadoc HTML frame injection
vulnerability identified as CVE-2013-1571 in the June 2013 Oracle Java
SE Critical Patch Update advisory [1]. This vulnerability could also
be exploited on maven.java.net server when browsing a Javadoc artifact
deployed on it.

To address this vulnerability on maven.java.net server, we have disabled
the archive browsing functionality (source, Javadoc etc.) for maven artifacts
deployed on the server.

We understand from our traffic analysis that a very small percentage of
the java.net users use this feature. If you need to browse artifacts,
you can download them and browse the source/Javadocs using your
favorite IDE (just as you would do from Maven central).

Please be aware, If you do download older Javadoc artifacts (with this vulnerability)
from this Maven repository to host on your web server, you need to re-generate
the API documentation using the latest Javadoc tool and replace the pages with
the re-generated Javadoc output.

- Administrators for maven.java.net

[1]
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847...