CVE-2022-46751

Name of the Vulnerable Software and Affected Versions Apache Ivy versions prior to 2.5.2

Description The issue is related to improper restriction of XML external entity references, which can lead to XML injection, also known as blind XPath injection. When Apache Ivy parses XML files, it allows downloading external document type definitions and expands any entity references contained therein. This can be used to exfiltrate data, access resources, or disturb the execution of Ivy. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations For Apache Ivy versions prior to 2.5.2, users can use Java system properties to restrict processing of external DTDs, as described in Oracle's "Java API for XML Processing (JAXP) Security Guide". As a temporary workaround, consider disabling DTD processing when parsing XML files to minimize the risk of exploitation. Update to Apache Ivy version 2.5.2 or later, where DTD processing is disabled by default, except when parsing Maven POMs.