Описание
With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse "upwards" using ".." sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.
A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious used to have unwanted access.
Отчет
Although the CVSS states High according to NIST, due to the nature of this flaw, considering it's an optional attribute and there must be restrictions in other layers to prevent attacks, this flaw is taken as a Moderate following the Medium impact from Apache.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | apache-ivy | Not affected | ||
| Migration Toolkit for Applications 6 | apache-ivy | Will not fix | ||
| Migration Toolkit for Runtimes | org.freemarker-freemarker-2.3.31.redhat_00001-1 | Will not fix | ||
| Red Hat Data Grid 8 | apache-ivy | Not affected | ||
| Red Hat Enterprise Linux 7 | apache-ivy | Out of support scope | ||
| Red Hat Fuse 7 | apache-ivy | Out of support scope | ||
| Red Hat Integration Camel K 1 | apache-ivy | Will not fix | ||
| Red Hat Integration Camel Quarkus 1 | apache-ivy | Not affected | ||
| Red Hat JBoss Data Grid 7 | apache-ivy | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | apache-ivy | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
9.1 Critical
CVSS3
Связанные уязвимости
With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse "upwards" using ".." sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.
Apache Ivy does not verify target path when extracting the archive
Уявимость пакетного менеджера Apache Ivy, связанная с неверным ограниченим имени пути к каталогу с ограниченным доступом, позволяющая нарушителю записать произвольные файлы в файловую систему
EPSS
9.1 Critical
CVSS3