CVE-2022-37865

Apache Ivy allows creating/overwriting any file on the system

Severity Score

9.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse "upwards" using ".." sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.

Con Apache Ivy 2.4.0 se introdujo un atributo de empaquetado opcional que permite descomprimir los artefactos sobre la marcha si usaron embalaje pack200 o zip. Para los artefactos que utilizan el paquete "zip", "jar" o "war", Ivy anterior a 2.5.1 no verifica la ruta de destino al extraer el archivo. Un archivo que contiene rutas absolutas o intentos de path traversal "upwards" using" usando secuencias ".." puede luego escribir archivos en cualquier ubicación del sistema de archivos local a la que el usuario que ejecuta Ivy tenga acceso de escritura. Los usuarios de Ivy de la versión 2.4.0 a 2.5.0 deben actualizar a Ivy 2.5.1.

A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious used to have unwanted access.

*Credits: This issue was discovered by Kostya Kortchinsky of the Databricks Security Team.

CVSS Scores

NISTv3.1 9.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-08-08 CVE Reserved
2022-11-07 CVE Published
2024-08-03 CVE Updated
2024-11-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-37865	2023-05-03
https://bugzilla.redhat.com/show_bug.cgi?id=2182188	2023-05-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Ivy Search vendor "Apache" for product "Ivy"				>= 2.4.0 < 2.5.1 Search vendor "Apache" for product "Ivy" and version " >= 2.4.0 < 2.5.1"		-		Affected