[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-46751: Apache Ivy: XML External Entity vulnerability in Apache Ivy
From: Stefan Bodewig <bodewig () apache ! org>
Date: 2023-08-20 18:54:13
Message-ID: 877cppilyi.fsf () v45346 ! 1blu ! de
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Severity: moderate
Affected versions:
- - Apache Ivy 1.0.0 through 2.5.1
Description:
Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath \
Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any \
version of Apache Ivy prior to 2.5.2.
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or \
Apache Maven POMs - it will allow downloading external document type definitions and expand any \
entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access \
to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs \
where the default is to allow DTD processing but only to include a DTD snippet shipping with \
Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are \
nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system \
properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of \
external DTDs, see the section about "JAXP Properties for External Access restrictions" inside \
Oracle's "Java API for XML Processing (JAXP) Security Guide".
Credit:
CC Bomber, Kitri BoB (finder)
Jenkins Security Team (reporter)
References:
https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477
https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d
https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr
https://ant.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-46751
Timeline:
2022-11-30: reported to the ASF security team
2023-08-20: made public
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAmTiYVUACgkQohFa4V9ri3J3GQCeJtCHJPATZc1KNH66qv6TCwb+
ossAnRDxeSXNQ+4G4vk9UtA9BdreXk1V
=d0O7
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic