86 matches found
CVE-2022-37865 Apache Ivy allows creating/overwriting any file on the system
With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. A...
Apache Ivy 路径遍历漏洞
Apache Ivy is a deliverable package manager from the Apache Foundation USA. A path traversal vulnerability exists in Apache Ivy versions prior to 2.5.1, which stems from the fact that artifacts may be stored outside of Ivy's local cache or repository, or can overwrite different artifacts within t...
CVE-2022-37865 Apache Ivy allows creating/overwriting any file on the system
With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. A...
CVE-2022-37865
CVE-2022-37865 affects Apache Ivy when using packaging types zip/jar/war with an unpacking on-the-fly feature introduced in Ivy 2.4.0. The vulnerability arises from Ivy’s archive extraction not validating target paths, allowing an archive containing absolute paths or paths using .. to write files...
CVE-2022-37866 Apache Ivy allows path traversal in the presence of a malicious repository
When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...
apache-ivy.996301.n3.nabble.com Cross Site Scripting vulnerability
Open Bug Bounty ID: OBB-1188116 Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:       a. verified the vulnerability and confirmed its existence;       b. notified the website...