Published: 21/08/2023 Updated: 06/09/2023

CVSS v3 Base Score: 8.2 | Impact Score: 4.2 | Exploitability Score: 3.9

VMScore: 0

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy before 2.5.2. When Apache Ivy before 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache ivy

Synopsis Moderate: Red Hat Integration Camel for Spring Boot 400 release and security update Type/Severity Security Advisory: Moderate Topic Red Hat Integration Camel for Spring Boot 400 release and security update is now available Red Hat Product Security has rated this update as having an impact of Moderate A Common Vulnerability Scor ...

Synopsis Important: Red Hat AMQ Streams 260 release and security update Type/Severity Security Advisory: Important Topic Red Hat AMQ Streams 260 is now available from the Red Hat Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, ...

Synopsis Moderate: Migration Toolkit for Runtimes security, bug fix and enhancement update Type/Severity Security Advisory: Moderate Topic Migration Toolkit for Runtimes 124 releaseRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gives a de ...

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache IvyThis issue affects any version of Apache Ivy prior to 252 When Apache Ivy prior to 252 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloadin ...

lihaoyi lihaoyi lefou lefou Your shiny new Java/Scala build tool!

Mill Your shiny new Scala build tool! Confused by SBT? Frustrated by Maven? Perplexed by Gradle? Give Mill a try! Documentation If you want to use Mill in your own projects, check out our documentation: Documentation Here is some quick example, so that you can imagine how it looks: import mill_, scalalib_ object foo extends ScalaModule { def scala

CWE-91 CWE-611 https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477 https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8 https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr http://www.openwall.com/lists/oss-security/2023/09/06/9 https://nvd.nist.gov https://access.redhat.com/errata/RHSA-2023:5441 https://github.com/com-lihaoyi/mill https://alas.aws.amazon.com/AL2/ALAS-2023-2302.html

CVE-2022-46751

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect