Repositories of datanucleus are fetched over insecure protocol (http insted of https)

Maven artifact groupId: org.datanucleus artifactId: datanucleus-maven-parent version: 4.0.0 Vulnerability the jar files inside repositories are fetched using insecure protocol (http instead of https). This allows these artifacts to be potentially MITMed to maliciously compromise them and infect the build artifacts that are produced. Additionally, if any of these JARs or other dependencies were compromised, any developers or production servers using these could continue to be infected past updating to fix this. Additional Details Source File and Line Number: https://search.maven.org/artifact/org.datanucleus/datanucleus-maven-parent/4.0.0/pom (line : 21) Vulnerable File(s): http://www.datanucleus.org/downloads/maven2/ Vulnerability Introduction: the above mentioned repo is fetched over http and can be exploited by MITM attack. Steps To Reproduce: Due to complexity of these bug i avoided to attempt to genereate POC because it could possibly affected existing users. but the detailed POC is in the link below which was the same case back in 2014 please Refer the article to reproduce. https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb however steps to reproduce are as follows: Clone the Impacted Project Change this line in Dilettante so it is targeting the repository used in the build. https://github.com/mveytsman/dilettante/blob/master/dilettante.py#L143 Start Dilettante on your local machine. Proxy the HTTP traffic for the build through Dilettante Execute the Build's tests. You should be greeted with the image of a cat Patch Force https insted of http. In short the jar files in http://www.datanucleus.org/downloads/maven2/ repos are fetched over http which can be intercepted by MITM and could cause severe damage to the existing users. This isn't just theoretical A proof of concept for performing this MITM and infecting JAR files on the fly has existed since 2014: Here's the blog post link: https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/ Here's the GitHub repository with the POC code: https://github.com/mveytsman/dilettante Impact By insecurely downloading code over an untrusted connection HTTP and executing the untrusted code inside of these JAR files as part of the unit/integration tests before a release opens these artifacts up to being maliciously compromised. Remote code execution on a production server. Malicious compromise of build artifacts.