Apache Ivy up to 2.5.1 xml external entity reference

Summaryinfo

A vulnerability identified as problematic has been detected in Apache Ivy up to 2.5.1. Affected by this vulnerability is an unknown functionality. This manipulation causes xml external entity reference. The identification of this vulnerability is CVE-2022-46751. There is no exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Apache Ivy up to 2.5.1. It has been declared as problematic. Affected by this vulnerability is some unknown functionality. The manipulation with an unknown input leads to a xml external entity reference vulnerability. The CWE definition for the vulnerability is CWE-611. The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".

The weakness was shared 08/21/2023. The advisory is shared at lists.apache.org. This vulnerability is known as CVE-2022-46751 since 12/07/2022. Neither technical details nor an exploit are publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 210929 (Jenkins plugins Multiple Vulnerabilities (2024-11-13)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 2.5.2 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 2be17bc18b0e1d4123007d579e43ba1a4b6fab3d is able to eliminate this problem. The bugfix is ready for download at gitbox.apache.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (210929). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• Apache

Name

• Ivy

Version

• 2.5.0
• 2.5.1

License

• open-source

Website

• Vendor: https://www.apache.org/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion