OpenCVE

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse "upwards" using ".." sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Ivy
Redhat	Camel Spring Boot

Configuration 1 [-]

cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
RHINT Camel-Springboot 3.20.1
apache-ivy	cpe:/a:redhat:camel_spring_boot:3.20.1	RHSA-2023:2100	2023-05-03T00:00:00Z

References

Link	Providers
https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS/
https://nvd.nist.gov/vuln/detail/CVE-2022-37865
https://www.cve.org/CVERecord?id=CVE-2022-37865

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-11-07T00:00:00

Updated: 2024-08-03T10:37:41.641Z

Reserved: 2022-08-08T00:00:00

Link: CVE-2022-37865

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-07T11:15:10.043

Modified: 2024-11-21T07:15:17.277

Link: CVE-2022-37865

Redhat

Severity : Moderate

Publid Date: 2022-11-07T00:00:00Z

Links: CVE-2022-37865 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-37865", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-03T10:37:41.641Z", "dateReserved": "2022-08-08T00:00:00", "datePublished": "2022-11-07T00:00:00"}, "containers": {"cna": {"title": "Apache Ivy allows creating/overwriting any file on the system", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-07-04T00:00:00"}, "descriptions": [{"lang": "en", "value": "With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the \"zip\", \"jar\" or \"war\" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse \"upwards\" using \"..\" sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Ivy", "versions": [{"version": "2.4.0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "2.5.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy"}, {"name": "FEDORA-2023-35f775fd6e", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS/"}], "credits": [{"lang": "en", "value": "This issue was discovered by Kostya Kortchinsky of the Databricks Security Team."}], "metrics": [{"other": {"type": "unknown", "content": {"other": "medium"}}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "allow create/overwrite any file on the syste"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:37:41.641Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy", "tags": ["x_transferred"]}, {"name": "FEDORA-2023-35f775fd6e", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:*", "matchCriteriaId": "904C5D5E-A06E-4BBF-BE87-E7CA460C19CD", "versionEndExcluding": "2.5.1", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the \"zip\", \"jar\" or \"war\" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse \"upwards\" using \"..\" sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1."}, {"lang": "es", "value": "Con Apache Ivy 2.4.0 se introdujo un atributo de empaquetado opcional que permite descomprimir los artefactos sobre la marcha si usaron embalaje pack200 o zip. Para los artefactos que utilizan el paquete \"zip\", \"jar\" o \"war\", Ivy anterior a 2.5.1 no verifica la ruta de destino al extraer el archivo. Un archivo que contiene rutas absolutas o intentos de path traversal \"upwards\" using\" usando secuencias \"..\" puede luego escribir archivos en cualquier ubicaci\u00f3n del sistema de archivos local a la que el usuario que ejecuta Ivy tenga acceso de escritura. Los usuarios de Ivy de la versi\u00f3n 2.4.0 a 2.5.0 deben actualizar a Ivy 2.5.1."}], "id": "CVE-2022-37865", "lastModified": "2024-11-21T07:15:17.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-07T11:15:10.043", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:2100", "cpe": "cpe:/a:redhat:camel_spring_boot:3.20.1", "package": "apache-ivy", "product_name": "RHINT Camel-Springboot 3.20.1", "release_date": "2023-05-03T00:00:00Z"}], "bugzilla": {"description": "apache-ivy: Directory Traversal", "id": "2182188", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182188"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "status": "verified"}, "cwe": "CWE-22", "details": ["With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the \"zip\", \"jar\" or \"war\" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse \"upwards\" using \"..\" sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.", "A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious used to have unwanted access."], "name": "CVE-2022-37865", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Will not fix", "package_name": "apache-ivy", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1", "fix_state": "Will not fix", "package_name": "org.freemarker-freemarker-2.3.31.redhat_00001-1", "product_name": "Migration Toolkit for Runtimes"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "apache-ivy", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "apache-ivy", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "apache-ivy", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "apache-ivy", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "apache-ivy", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-maven36-apache-ivy", "product_name": "Red Hat Software Collections"}], "public_date": "2022-11-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-37865\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-37865\nhttps://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy"], "statement": "Although the CVSS states High according to NIST, due to the nature of this flaw, considering it's an optional attribute and there must be restrictions in other layers to prevent attacks, this flaw is taken as a Moderate following the Medium impact from Apache.", "threat_severity": "Moderate", "upstream_fix": "Apache Ivy 2.5.1"}