BDU:2024-02252

Опубликовано: 17 авг. 2023

Источник: fstec

CVSS3: 8.2

CVSS2: 8.5

EPSS Низкий

Описание

Уязвимость пакетного менеджера Apache Ivy связана с неверным ограничением XML-ссылок на внешние объекты. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, раскрыть защищаемую информацию или вызвать отказ в обслуживании

Вендор

Red Hat Inc.

Novell Inc.

JetBrains

Apache Software Foundation

Наименование ПО

Red Hat Enterprise Linux

OpenSUSE Leap

Red Hat JBoss Fuse

Red Hat Software Collections

SUSE Linux Enterprise Module for Development Tools

Suse Linux Enterprise Server

Red Hat Integration Camel K

SUSE Linux Enterprise High Performance Computing

SUSE Linux Enterprise Server for SAP Applications

SUSE Manager Proxy

SUSE Manager Server

Suse Linux Enterprise Desktop

SUSE Enterprise Storage

SUSE Manager Retail Branch Server

SUSE Linux Enterprise Real Time

Red Hat Integration Camel for Spring Boot

Red Hat AMQ Streams

Migration Toolkit for Applications

Migration Toolkit for Runtimes

Scala Plugin for IntelliJ IDEA

Ivy

Версия ПО

7 (Red Hat Enterprise Linux)

15.5 (OpenSUSE Leap)

8 (Red Hat Enterprise Linux)

7 (Red Hat JBoss Fuse)

- (Red Hat Software Collections)

15 SP2 (SUSE Linux Enterprise Module for Development Tools)

15 SP 3 (Suse Linux Enterprise Server)

- (Red Hat Integration Camel K)

15.4 (OpenSUSE Leap)

15 SP3 (SUSE Linux Enterprise High Performance Computing)

15 SP3 (SUSE Linux Enterprise Server for SAP Applications)

4.2 (SUSE Manager Proxy)

4.2 (SUSE Manager Server)

15 SP3 (Suse Linux Enterprise Desktop)

7 (SUSE Enterprise Storage)

15 SP2 (Suse Linux Enterprise Server)

15 SP2 (SUSE Linux Enterprise Server for SAP Applications)

4.1 (SUSE Manager Server)

4.1 (SUSE Manager Proxy)

15 SP2-ESPOS (SUSE Linux Enterprise High Performance Computing)

15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing)

15 SP3 (SUSE Linux Enterprise Module for Development Tools)

4.1 (SUSE Manager Retail Branch Server)

15 SP4 (Suse Linux Enterprise Server)

15 SP2 (Suse Linux Enterprise Desktop)

15 SP2 (SUSE Linux Enterprise High Performance Computing)

15 SP4 (Suse Linux Enterprise Desktop)

15 SP2-BCL (Suse Linux Enterprise Server)

15 SP4 (SUSE Linux Enterprise Server for SAP Applications)

4.2 (SUSE Manager Retail Branch Server)

15 SP2-LTSS (Suse Linux Enterprise Server)

15 SP2 (SUSE Linux Enterprise Real Time)

4.3 (SUSE Manager Retail Branch Server)

4.3 (SUSE Manager Proxy)

4.3 (SUSE Manager Server)

15 SP4 (SUSE Linux Enterprise High Performance Computing)

7.1 (SUSE Enterprise Storage)

15 SP4 (SUSE Linux Enterprise Module for Development Tools)

- (Red Hat Integration Camel for Spring Boot)

15 SP3-LTSS (Suse Linux Enterprise Server)

15 SP3-ESPOS (SUSE Linux Enterprise High Performance Computing)

15 SP3-LTSS (SUSE Linux Enterprise High Performance Computing)

15 SP3 (SUSE Linux Enterprise Real Time)

15 SP3-BCL (Suse Linux Enterprise Server)

15 SP5 (SUSE Linux Enterprise Server for SAP Applications)

15 SP5 (Suse Linux Enterprise Server)

15 SP5 (Suse Linux Enterprise Desktop)

15 SP5 (SUSE Linux Enterprise High Performance Computing)

15 SP5 (SUSE Linux Enterprise Module for Development Tools)

15 SP4 (SUSE Linux Enterprise Real Time)

2.6.0 (Red Hat AMQ Streams)

15 SP4-ESPOS (SUSE Linux Enterprise High Performance Computing)

15 SP4-LTSS (SUSE Linux Enterprise High Performance Computing)

15 SP4-LTSS (Suse Linux Enterprise Server)

6.2 for RHEL 8 (Migration Toolkit for Applications)

6.2 for RHEL 9 (Migration Toolkit for Applications)

1.2.4 (Migration Toolkit for Runtimes)

2022.1.17 (Scala Plugin for IntelliJ IDEA)

4.0.0 (Red Hat Integration Camel for Spring Boot)

до 2.5.1 включительно (Ivy)

Тип ПО

Операционная система

Прикладное ПО информационных систем

Сетевое средство

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 7

Novell Inc. OpenSUSE Leap 15.5

Red Hat Inc. Red Hat Enterprise Linux 8

Novell Inc. Suse Linux Enterprise Server 15 SP 3

Novell Inc. OpenSUSE Leap 15.4

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3

Novell Inc. Suse Linux Enterprise Desktop 15 SP3

Novell Inc. Suse Linux Enterprise Server 15 SP2

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2

Novell Inc. Suse Linux Enterprise Server 15 SP4

Novell Inc. Suse Linux Enterprise Desktop 15 SP2

Novell Inc. Suse Linux Enterprise Desktop 15 SP4

Novell Inc. Suse Linux Enterprise Server 15 SP2-BCL

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4

Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS

Novell Inc. SUSE Linux Enterprise Real Time 15 SP2

Novell Inc. Suse Linux Enterprise Server 15 SP3-LTSS

Novell Inc. SUSE Linux Enterprise Real Time 15 SP3

Novell Inc. Suse Linux Enterprise Server 15 SP3-BCL

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP5

Novell Inc. Suse Linux Enterprise Server 15 SP5

Novell Inc. Suse Linux Enterprise Desktop 15 SP5

Novell Inc. SUSE Linux Enterprise Real Time 15 SP4

Novell Inc. Suse Linux Enterprise Server 15 SP4-LTSS

Уровень опасности уязвимости

Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 8,5)

Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 8,2)

Возможные меры по устранению уязвимости

Использование рекомендаций:

Для программных продуктов Novell Inc.:

https://www.suse.com/security/cve/CVE-2022-46751.html

Для программных продуктов Red Hat Inc.:

https://access.redhat.com/security/cve/CVE-2022-46751

Для программных продуктов Apache Software Foundation:

https://ant.apache.org/ivy/

Компенсирующие меры для программных продуктов JetBrains:

- использование антивирусного программного обеспечения для отслеживания средств эксплуатации уязвимости.

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46751
CVE

EPSS

Процентиль: 40%

0.00186

Низкий

8.2 High

CVSS3

8.5 High

CVSS2

Связанные уязвимости

CVE-2022-46751

CVSS3: 8.2

redhat

больше 2 лет назад

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. Users...

CVE-2022-46751

CVSS3: 8.2

nvd

больше 2 лет назад

SUSE-SU-2023:4367-1

suse-cvrf

больше 2 лет назад

Security update for apache-ivy

GHSA-2jc4-r94c-rp7h

CVSS3: 8.2

github

больше 2 лет назад

Apache Ivy External Entity Reference vulnerability

EPSS

Процентиль: 40%

0.00186

Низкий

8.2 High

CVSS3

8.5 High

CVSS2