'[oss-security] CVE-2022-46751: Apache Ivy: XML External Entity vulnerability in Apache Ivy'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-46751: Apache Ivy: XML External Entity vulnerability in Apache Ivy
From:       Stefan Bodewig <bodewig () apache ! org>
Date:       2023-08-20 18:54:13
Message-ID: 877cppilyi.fsf () v45346 ! 1blu ! de
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Severity: moderate

Affected versions:

- - Apache Ivy 1.0.0 through 2.5.1

Description:

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath \
Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any \
version of Apache Ivy prior to 2.5.2.

When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or \
Apache Maven POMs - it will allow downloading external document type definitions and expand any \
entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access \
to or disturb the execution of Ivy in different ways.

Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs \
where the default is to allow DTD processing but only to include a DTD snippet shipping with \
Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are \
nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system \
properties where needed.

Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of \
external DTDs, see the section about "JAXP Properties for External Access restrictions" inside \
Oracle's "Java API for XML Processing (JAXP) Security Guide".

Credit:

CC Bomber, Kitri BoB (finder)
Jenkins Security Team (reporter)

References:

https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477
 https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d
 https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr
https://ant.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-46751

Timeline:

2022-11-30: reported to the ASF security team
2023-08-20: made public
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAmTiYVUACgkQohFa4V9ri3J3GQCeJtCHJPATZc1KNH66qv6TCwb+
ossAnRDxeSXNQ+4G4vk9UtA9BdreXk1V
=d0O7
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic