Reporting New Security Problems with Apache Ivy

The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service attacks against its products.

We strongly encourage folks to report such problems to our private security mailing list first, before disclosing them in a public forum.

Please note that the security mailing list should only be used for reporting undisclosed security vulnerabilities and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other queries at this address. All mail sent to this address that does not relate to an undisclosed security problem in our source code will be ignored.

If you need to report a bug that isn't an undisclosed security vulnerability, please use the the issue tracker.

Questions about:

  • if a vulnerability applies to your particular application
  • obtaining further information on a published vulnerability
  • availability of patches and/or new releases

should be addressed to the users mailing list. Please see Mailing lists for details of how to subscribe.

The private security mailing address is:

Apache Ivy Security Vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Ivy. Each vulnerability is given a security impact rating by the development team - please note that this rating may vary from platform to platform. We also list the versions of Ivy the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Ivy version that you are using.

If you need help on building Ivy or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Ivy Users mailing list.

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.

Fixed in Apache Ivy 2.5.2

CVE-2022-46751: Apache Ivy Is Vulnerable to XML External Entity Injections

Medium: XML External Entity Injection CVE-2022-46751.

When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.

Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.

Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's Java API for XML Processing (JAXP) Security Guide.

This was fixed in revision 2be17bc1.

This was first reported to the Security Team on 30 November 2022 and made public on 20 August 2023.

Affects: until 2.5.1

Fixed in Apache Ivy 2.5.1

CVE-2022-37865: Apache Ivy allow create/overwrite any file on the system

Medium: create/overwrite any file on the system CVE-2022-37865.

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging.

For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse "upwards" using ".." sequences can then write files to any location on the local fie system that the user executing Ivy has write access to.

This was fixed in revision 03b6b8c.

This was first reported to the Security Team on 16 June 2022 and made public on 4 November 2022

Affects: 2.4.0 until 2.5.0

CVE-2022-37866: Apache Ivy Path Traversal

Medium: Path Traversal CVE-2022-37866.

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version.

If said coordinates contain "../" sequences - which are valid characters for Ivy coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or repository or can overwrite different artifacts inside of the local cache.

In order to exploit this vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests containing ".." sequences and a "normal" repository will not interpret them as part of the artifact coordinates.

This was fixed in revision 3f37460.

This was first reported to the Security Team on 16 June 2022 and made public on 4 November 2022

Affects: until 2.5.0

Errors and Ommissions

Please report any errors or omissions to the Ant dev mailing list.