Checking the OSL 1.30 swf-builder and swf-devmode prod images they have the following maven-core and plexus-utils artifacts:

ls ~/.m2/repository/org/apache/maven/maven-core/
2.0.6  2.2.1  3.0  3.2.5  3.8.6

All versions before 3.8.1 are affected by CVE-2021-26291 as they accept http and not only https.

maven-core 2.0.6 -> required by maven-resources-plugin:2.6:resources
maven-core 2.2.1 -> required by maven-compiler-plugin:3.8.1:compile
maven-core 3.0 -> required by maven-compiler-plugin:3.8.1:compile
maven-core 3.2.5 -> required by maven-surefire-plugin:3.0.0-M7:test

ls ~/.m2/repository/org/codehaus/plexus/plexus-utils/
1.0.4  1.4.1  1.5.15  1.5.5  1.5.8  2.0.4  2.0.5  3.0  3.0.22  3.0.5  3.3.0  3.3.0.redhat-00002

All versions before 3.0.16 are affected by CVE-2017-1000487

plexus-utils 1.0.4 -> required by maven-resources-plugin:2.6:resources
plexus-utils 1.4.1 -> required by maven-resources-plugin:2.6:resources
plexus-utils 1.5.5 -> required by maven-compiler-plugin:3.8.1:compile
plexus-utils 1.5.8 -> required by maven-resources-plugin:2.6:resources
plexus-utils 1.5.15 -> required by maven-resources-plugin:2.6:resources
plexus-utils 2.0.4 -> required by maven-compiler-plugin:3.8.1:compile
plexus-utils 2.0.5 -> required by maven-resources-plugin:2.6:resources
plexus-utils 3.0 -> required by maven-clean-plugin:2.5:clean
plexus-utils 3.0.5 -> required by maven-install-plugin:2.4:install