CVE-2024-47197

Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.<br /> <br /> This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.<br /> <br /> Users are recommended to upgrade to version 3.3.0, which fixes the issue.<br /> <br /> Archetype integration testing creates a file<br /> called ./target/classes/archetype-it/archetype-settings.xml<br /> This file contains all the content from the users ~/.m2/settings.xml file,<br /> which often contains information they do not want to publish. We expect that on many developer machines, this also contains<br /> credentials.<br /> <br /> When the user runs mvn verify again (without a mvn clean), this file becomes part of<br /> the final artifact.<br /> <br /> If a developer were to publish this into Maven Central or any other remote repository (whether as a release<br /> or a snapshot) their credentials would be published without them knowing.