CVE-2022-37865

Name of the Vulnerable Software and Affected Versions Apache Ivy versions 2.4.0 through 2.5.0

Description The issue is related to the extraction of archives in Apache Ivy, where the target path is not verified for artifacts using "zip", "jar", or "war" packaging. This allows an archive with absolute paths or paths that traverse "upwards" using ".." sequences to write files to any location on the local file system that the user executing Ivy has write access to.

Recommendations For Apache Ivy versions 2.4.0 to 2.5.0, upgrade to Ivy version 2.5.1 to resolve the issue. As a temporary workaround, consider restricting the use of the archive extraction feature until the upgrade is applied. Avoid using archives with absolute paths or paths that traverse "upwards" using ".." sequences in the affected API endpoint until the issue is resolved.