CVE-2022-37866

Name of the Vulnerable Software and Affected Versions Apache Ivy versions 2.0.0 through 2.5.1

Description The issue is related to the incorrect restriction of the directory path name in the Apache Ivy package manager. This can allow a remote attacker to gain unauthorized access to the file system. When Apache Ivy downloads artifacts from a repository, it stores them in the local file system based on a user-supplied pattern that may include placeholders for artifact coordinates. If these coordinates contain "../" sequences, it is possible for artifacts to be stored outside of Ivy's local cache or repository, or to overwrite different artifacts inside the local cache. To exploit this issue, an attacker needs collaboration from the remote repository, as Ivy will issue HTTP requests containing ".." sequences that a normal repository will not interpret as part of the artifact coordinates.

Recommendations For Apache Ivy versions 2.0.0 through 2.5.1, upgrade to Ivy 2.5.1 to resolve the issue. As a temporary workaround, consider restricting the use of user-supplied patterns that may include "../" sequences in artifact coordinates until the upgrade is applied. Additionally, restrict access to the local cache or repository to minimize the risk of exploitation. Avoid using patterns that contain "../" sequences in the affected API endpoint until the issue is resolved.