89 matches found
apache-ivy: Directory Traversal
A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious used to have unwanted access...
Important: apache-ivy
Issue Overview: A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious user to have unwanted access. Ivy users of version 2.4.0 t...
Amazon Linux 2023 : apache-ivy, apache-ivy-javadoc (ALAS2023-2023-174)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-174 advisory. A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This...
Security Bulletin: IBM UrbanCode Deploy (UCD) is vulnerable to Path Traversal due to Apache Ivy (CVE-2022-37865, CVE-2022-37866)
Summary Apache Ivy is used by IBM UrbanCode Deploy as part of the Agents Apache Groovy scripting home. CVE-2022-37865, CVE-2022-37866 Vulnerability Details CVEID:CVE-2022-37866 DESCRIPTION: Apache Ivy could allow a remote attacker to traverse directories on the system, caused by improper validati...
CVE-2022-37865
A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious used to have unwanted access...
SUSE CVE-2022-37866
When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...
CVE-2022-37866
A flaw was found in Apache Ivy. This may allow an attacker to place artifacts inside and outside of Ivy's repository and overwrite artifacts that the user will use later...
Path Traversal
apache ivy is vulnerable to path traversal. The vulnerability exists due to lack of file path pattern checks in the getCachedDataFile function of DefaultRepositoryCacheManager.java, allowing an attacker to overwrite files outside of the local cache by using ../ in artifact coordinates...
ae.teletronics.nlp:entityextraction (>=1.3 <=1.4), ai.catboost:catboost-spark_2.11 (>=0.25-rc1 <=0.25-rc3) +4986 more potentially affected by CVE-2022-37866 via org.apache.ivy:ivy (>=2.0.0 <=2.5.0)
org.apache.ivy:ivy MAVEN version =2.0.0, =1.3, =0.25-rc1, =0.25-rc1, =0.25, =0.25, =0.25, =0.25, =1.0.1, =1.0.6, =1.0.6, =1.1, =1.1.1, =0.0.25, =0.0.25, =0.0.25, =def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91 and more Source cves: CVE-2022-37866 Source advisory: OSV:GHSA-WV7W-RJ2X-556X...
GHSA-WV7W-RJ2X-556X Apache Ivy vulnerable to path traversal
When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...
Apache Ivy vulnerable to path traversal
When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...
CVE-2022-37866
When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...
Design/Logic Flaw
When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...
Apache Ivy does not verify target path when extracting the archive
With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to version 2.5.1 doesn't verify the target path when extracting the...
CVE-2022-37865
With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. A...
Code injection
With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. A...
CVE-2022-37865
CVE-2022-37865 affects Apache Ivy when using packaging types zip/jar/war with an unpacking on-the-fly feature introduced in Ivy 2.4.0. The vulnerability arises from Ivy’s archive extraction not validating target paths, allowing an archive containing absolute paths or paths using .. to write files...
CVE-2022-37866 Apache Ivy allows path traversal in the presence of a malicious repository
When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...
CVE-2022-37865 Apache Ivy allows creating/overwriting any file on the system
With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. A...
CVE-2022-37866
Apache Ivy CVE-2022-37866 describes a directory traversal vulnerability where artifact coordinates with ".." can cause downloaded artifacts to be written outside Ivy’s local cache or overwrite other files. Exploitation requires collaboration from the remote repository, as Ivy will issue HTTP requ...