CVE-2022-46751

Опубликовано: 21 авг. 2023

Источник: nvd

CVSS3: 8.2

EPSS Низкий

Описание

When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.

Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.

User

Ссылки

http://www.openwall.com/lists/oss-security/2023/09/06/9
https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477
Third Party Advisory
https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d
Vendor Advisory
https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8
Mailing List
Vendor Advisory
https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/09/06/9
https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477
Third Party Advisory
https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d
Vendor Advisory
https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8
Mailing List
Vendor Advisory
https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:*

Версия до 2.5.2 (исключая)

EPSS

Процентиль: 40%

0.00186

Низкий

8.2 High

CVSS3

Дефекты

CWE-91

Связанные уязвимости

CVE-2022-46751

CVSS3: 8.2

redhat

больше 2 лет назад

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. Users...

SUSE-SU-2023:4367-1

suse-cvrf

больше 2 лет назад

Security update for apache-ivy

GHSA-2jc4-r94c-rp7h

CVSS3: 8.2

github

больше 2 лет назад

Apache Ivy External Entity Reference vulnerability

BDU:2024-02252

CVSS3: 8.2

fstec

больше 2 лет назад

Уязвимость пакетного менеджера Apache Ivy, связанная с неверным ограничением XML-ссылок на внешние объекты, позволяющая нарушителю раскрыть защищаемую информацию или вызвать отказ в обслуживании

EPSS

Процентиль: 40%

0.00186

Низкий

8.2 High

CVSS3

Дефекты

CWE-91