Skip to main content

Javadoc security issue and server

Please note these forums are being decommissioned and use the new and improved forums at
No replies
Joined: 2004-04-15

Many of you must be aware of the Javadoc HTML frame injection
vulnerability identified as CVE-2013-1571 in the June 2013 Oracle Java
SE Critical Patch Update advisory [1]. This vulnerability could also
be exploited on server when browsing a Javadoc artifact
deployed on it.

To address this vulnerability on server, we have disabled
the archive browsing functionality (source, Javadoc etc.) for maven artifacts
deployed on the server.

We understand from our traffic analysis that a very small percentage of
the users use this feature. If you need to browse artifacts,
you can download them and browse the source/Javadocs using your
favorite IDE (just as you would do from Maven central).

Please be aware, If you do download older Javadoc artifacts (with this vulnerability)
from this Maven repository to host on your web server, you need to re-generate
the API documentation using the latest Javadoc tool and replace the pages with
the re-generated Javadoc output.

- Administrators for