Information Exposure Affecting org.apache.maven.scm:maven-scm-providers-git package, versions [2.1.0,2.2.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Information Exposure vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGAPACHEMAVENSCM-10361583
- published16 Jun 2025
- disclosed31 Mar 2025
- creditMarkus Hoffrogge
Introduced: 31 Mar 2025
CVE NOT AVAILABLE CWE-209 (opens in a new tab)How to fix?
Upgrade org.apache.maven.scm:maven-scm-providers-git to version 2.2.1 or higher.
Overview
org.apache.maven.scm:maven-scm-providers-git is a SCM Provider implementation for Git
Affected versions of this package are vulnerable to Information Exposure due to improper handling of passwords in different components. When a git password contains special characters, a discrepancy in encoding methods between the URI class and URLEncode.encode can cause the password masking to fail in the JGit provider, leading to the password being logged in a URI-encoded but otherwise clear format. In another instance, if a ls-remote command fails in the Gitexe provider, an exception is thrown containing the full fetch URL, which includes the URI-encoded password without it being masked.