Hi, Fixed for 3.9.15 - https://github.com/apache/maven/milestone/125?closed=1
I add info at https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec thate plexus-utils 3.6.1 alos has a fix On Thu, 2 Apr 2026 at 14:24, Clebert Suconic <[email protected]> wrote: > From my line of usage: These two jars: > > org.apache.maven:maven-plugin-api:jar:3.9.14 > org.apache.maven:maven-core:jar:3.9.14 > > > If you look on the pom, you will see: > > https://github.com/apache/maven/blob/maven-3.9.x/pom.xml#L138 > > On Thu, Apr 2, 2026 at 7:22 AM Guillaume Nodet <[email protected]> wrote: > > > > Do you know which jars depend on this plexus-utils 3.6.0 ? > > > > Le jeu. 2 avr. 2026 à 13:02, Clebert Suconic <[email protected]> > a > > écrit : > > > > > Plexus utils 3.6.0 is affected by a CVE: > > > > > > https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec > > > > > > > > > > > > Would be possible to update the dependency by a non affected version > > > (I think 3.9.0?) and have a maven 3.9.15 with the upgrade? > > > > > > I develop a maven plugin and that makes my code to appear in security > > > scanners, even though the dependency has a provided scope and is > > > downloaded by Maven itself. > > > > > > > > > > > > Thank you > > > > > > -- > > > Clebert Suconic > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > > > > -- > > ------------------------ > > Guillaume Nodet > > > > -- > Clebert Suconic > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Sławomir Jaranowski
