Lucene search
+L

89 matches found

RedHat Linux
RedHat Linux
added 2023/05/03 2:5 p.m.5 views

apache-ivy: Directory Traversal

A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious used to have unwanted access...

9.1CVSS7.3AI score0.01819EPSS
Exploits0References5
Amazon
Amazon
added 2023/05/03 12:0 a.m.7 views

Important: apache-ivy

Issue Overview: A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious user to have unwanted access. Ivy users of version 2.4.0 t...

9.1CVSS8.1AI score0.01819EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2023/05/03 12:0 a.m.30 views

Amazon Linux 2023 : apache-ivy, apache-ivy-javadoc (ALAS2023-2023-174)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-174 advisory. A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This...

9.1CVSS7.9AI score0.01819EPSS
Exploits0References6
IBM Security Bulletins
IBM Security Bulletins
added 2023/03/30 7:6 p.m.36 views

Security Bulletin: IBM UrbanCode Deploy (UCD) is vulnerable to Path Traversal due to Apache Ivy (CVE-2022-37865, CVE-2022-37866)

Summary Apache Ivy is used by IBM UrbanCode Deploy as part of the Agents Apache Groovy scripting home. CVE-2022-37865, CVE-2022-37866 Vulnerability Details CVEID:CVE-2022-37866 DESCRIPTION: Apache Ivy could allow a remote attacker to traverse directories on the system, caused by improper validati...

9.1CVSS8.1AI score0.01819EPSS
Exploits0Affected Software1
RedhatCVE
RedhatCVE
added 2023/03/27 8:43 p.m.55 views

CVE-2022-37865

A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious used to have unwanted access...

9.1CVSS8.7AI score0.01819EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2023/02/15 3:24 a.m.3 views

SUSE CVE-2022-37866

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...

6.3CVSS8.9AI score0.01596EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2022/12/01 3:56 p.m.42 views

CVE-2022-37866

A flaw was found in Apache Ivy. This may allow an attacker to place artifacts inside and outside of Ivy's repository and overwrite artifacts that the user will use later...

7.5CVSS3.5AI score0.01596EPSS
Exploits0References3
Veracode
Veracode
added 2022/11/08 2:30 a.m.34 views

Path Traversal

apache ivy is vulnerable to path traversal. The vulnerability exists due to lack of file path pattern checks in the getCachedDataFile function of DefaultRepositoryCacheManager.java, allowing an attacker to overwrite files outside of the local cache by using ../ in artifact coordinates...

7.5CVSS8AI score0.01596EPSS
Exploits0References4Affected Software2
vulnersOsv
vulnersOsv
added 2022/11/07 7:0 p.m.9 views

ae.teletronics.nlp:entityextraction (>=1.3 <=1.4), ai.catboost:catboost-spark_2.11 (>=0.25-rc1 <=0.25-rc3) +4986 more potentially affected by CVE-2022-37866 via org.apache.ivy:ivy (>=2.0.0 <=2.5.0)

org.apache.ivy:ivy MAVEN version =2.0.0, =1.3, =0.25-rc1, =0.25-rc1, =0.25, =0.25, =0.25, =0.25, =1.0.1, =1.0.6, =1.0.6, =1.1, =1.1.1, =0.0.25, =0.0.25, =0.0.25, =def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91 and more Source cves: CVE-2022-37866 Source advisory: OSV:GHSA-WV7W-RJ2X-556X...

7.5CVSS7.1AI score0.01596EPSS
Exploits0
OSV
OSV
added 2022/11/07 7:0 p.m.7 views

GHSA-WV7W-RJ2X-556X Apache Ivy vulnerable to path traversal

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...

7.5CVSS7.2AI score0.01596EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2022/11/07 7:0 p.m.34 views

Apache Ivy vulnerable to path traversal

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...

7.5CVSS8.1AI score0.01596EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2022/11/07 2:15 p.m.15 views

CVE-2022-37866

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...

7.5CVSS0.01596EPSS
Exploits0References2
Prion
Prion
added 2022/11/07 2:15 p.m.25 views

Design/Logic Flaw

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...

5CVSS8.1AI score0.01596EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2022/11/07 12:0 p.m.34 views

Apache Ivy does not verify target path when extracting the archive

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to version 2.5.1 doesn't verify the target path when extracting the...

9.1CVSS8.6AI score0.01819EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2022/11/07 11:15 a.m.17 views

CVE-2022-37865

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. A...

9.1CVSS0.01819EPSS
Exploits0References2
Prion
Prion
added 2022/11/07 11:15 a.m.25 views

Code injection

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. A...

6.4CVSS8.8AI score0.01819EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2022/11/07 12:0 a.m.188 views

CVE-2022-37865

CVE-2022-37865 affects Apache Ivy when using packaging types zip/jar/war with an unpacking on-the-fly feature introduced in Ivy 2.4.0. The vulnerability arises from Ivy’s archive extraction not validating target paths, allowing an archive containing absolute paths or paths using .. to write files...

9.1CVSS9AI score0.01819EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2022/11/07 12:0 a.m.22 views

CVE-2022-37866 Apache Ivy allows path traversal in the presence of a malicious repository

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...

7.5CVSS7.1AI score0.01596EPSS
Exploits0References4
OSV
OSV
added 2022/11/07 12:0 a.m.30 views

CVE-2022-37865 Apache Ivy allows creating/overwriting any file on the system

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. A...

9.1CVSS7.1AI score0.01819EPSS
Exploits0References4
CVE
CVE
added 2022/11/07 12:0 a.m.325 views

CVE-2022-37866

Apache Ivy CVE-2022-37866 describes a directory traversal vulnerability where artifact coordinates with ".." can cause downloaded artifacts to be written outside Ivy’s local cache or overwrite other files. Exploitation requires collaboration from the remote repository, as Ivy will issue HTTP requ...

7.5CVSS7.4AI score0.01596EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder