Lucene search

K
amazonAmazonALAS-2023-1863
HistoryOct 12, 2023 - 3:48 p.m.

Important: apache-ivy

2023-10-1215:48:00
alas.aws.amazon.com
15
apache
ivy
xml injection
external entity
dtd
cve-2022-46751

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

AI Score

8.5

Confidence

High

EPSS

0.002

Percentile

52.0%

Issue Overview:

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.

When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.

Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.

Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about “JAXP Properties for External Access restrictions” inside Oracle’s “Java API for XML Processing (JAXP) Security Guide”. (CVE-2022-46751)

Affected Packages:

apache-ivy

Issue Correction:
Run yum update apache-ivy to update your system.

New Packages:

noarch:  
    apache-ivy-javadoc-2.2.0-5.2.amzn1.noarch  
    apache-ivy-2.2.0-5.2.amzn1.noarch  
  
src:  
    apache-ivy-2.2.0-5.2.amzn1.src  

Additional References

Red Hat: CVE-2022-46751

Mitre: CVE-2022-46751

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

AI Score

8.5

Confidence

High

EPSS

0.002

Percentile

52.0%