Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM0BBA883C0B8760C941A3A9C6A8415A4207D48DBBDA9509EA1AA0AD3AACE14092
HistoryMar 30, 2023 - 7:06 p.m.

Security Bulletin: IBM UrbanCode Deploy (UCD) is vulnerable to Path Traversal due to Apache Ivy (CVE-2022-37865, CVE-2022-37866)

2023-03-3019:06:46
www.ibm.com
13

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

0.002 Low

EPSS

Percentile

52.9%

JSON

Summary

Apache Ivy is used by IBM UrbanCode Deploy as part of the Agents Apache Groovy scripting home. CVE-2022-37865, CVE-2022-37866

Vulnerability Details

CVEID:CVE-2022-37866
**DESCRIPTION:**Apache Ivy could allow a remote attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted URL request containing โ€œdot dotโ€ sequences (/โ€ฆ/) to overwrite arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239567 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2022-37865
**DESCRIPTION:**Apache Ivy could allow a local authenticated attacker to traverse directories on the system, caused by improper validation of user supplied input. An attacker could use a specially-crafted archive file containing โ€œdot dotโ€ sequences (/โ€ฆ/) to write arbitrary files on the system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239423 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
UCD - IBM UrbanCode Deploy 6.2.0.0 - 6.2.7.19
UCD - IBM UrbanCode Deploy 7.0.5.0 - 7.0.5.14
UCD - IBM UrbanCode Deploy 7.1.0.0 - 7.1.2.10
UCD - IBM UrbanCode Deploy 7.2.0.0 - 7.2.3.3
UCD - IBM UrbanCode Deploy 7.3.0.0 - 7.3.0.1

Remediation/Fixes

IBM strongly suggests the following:

Upgrade to any of 6.2.7.20,7.0.5.15, 7.1.2.11, 7.2.3.4, or 7.3.1.0 or later

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm urbancode deployeq7.3.1.0

Related

nessus 5
ibm 6
openvas 2
fedora 1
mageia 1
veracode 2
cve 2
osv 4
amazon 2
github 2
prion 2
redhatcve 2
redhat 1
oracle 2
nessus
nessus
Fedora 38 : apache-ivy (2023-35f775fd6e)
2023-07-04 00:00:00
Amazon Linux 2023 : apache-ivy, apache-ivy-javadoc (ALAS2023-2023-174)
2023-05-03 00:00:00
Amazon Linux 2 : apache-ivy (ALAS-2023-2165)
2023-07-26 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities in ivy-2.4.0.jar affect IBM Application Performance Management products
2023-09-07 06:51:21
Security Bulletin: Multiple Vulnerabilities in Apache Ivy affect IBM Cloud Pak System
2024-01-03 18:20:47
Security Bulletin: Multiple vulnerabilities affect IBM Db2ยฎ Graph
2023-04-24 22:02:48
openvas
openvas
Mageia: Security Advisory (MGASA-2023-0216)
2023-07-10 00:00:00
Fedora: Security Advisory for apache-ivy (FEDORA-2023-35f775fd6e)
2023-07-05 00:00:00
fedora
fedora
[SECURITY] Fedora 38 Update: apache-ivy-2.5.1-3.fc38
2023-07-04 01:34:09
mageia
mageia
Updated apache-ivy packages fix security vulnerability
2023-07-07 08:54:45
veracode
veracode
Arbitrary File Write
2022-11-08 03:35:02
Path Traversal
2022-11-08 02:30:33
cve
cve
CVE-2022-37865
2022-11-07 11:15:00
CVE-2022-37866
2022-11-07 14:15:00
osv
osv
CVE-2022-37865
2022-11-07 11:15:10
Apache Ivy does not verify target path when extracting the archive
2022-11-07 12:00:33
Apache Ivy vulnerable to path traversal
2022-11-07 19:00:20
amazon
amazon
Important: apache-ivy
2024-01-19 01:19:00
Important: apache-ivy
2023-07-20 17:29:00
github
github
Apache Ivy does not verify target path when extracting the archive
2022-11-07 12:00:33
Apache Ivy vulnerable to path traversal
2022-11-07 19:00:20
prion
prion
Code injection
2022-11-07 11:15:00
Design/Logic Flaw
2022-11-07 14:15:00
redhatcve
redhatcve
CVE-2022-37865
2023-03-27 20:43:04
CVE-2022-37866
2022-12-01 15:56:37
redhat
redhat
(RHSA-2023:2100) Important: Red Hat Integration Camel for Spring Boot 3.20.1 security update
2023-05-03 14:03:49
oracle
oracle
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

0.002 Low

EPSS

Percentile

52.9%

JSON
Related for 0BBA883C0B8760C941A3A9C6A8415A4207D48DBBDA9509EA1AA0AD3AACE14092
nessus5ibm6openvas2fedora1mageia1veracode2cve2osv4amazon2github2prion2redhatcve2redhat1oracle2