CVE-2022-37866: Apache Ivy allows path traversal in the presence of a malicious repository

Reference Links

• https://www.cve.org/CVERecord?id=CVE-2022-37866 https://nvd.nist.gov/vuln/detail/CVE-2022-37866
• https://bugzilla.redhat.com/show_bug.cgi?id=2150011
• https://access.redhat.com/errata/RHSA-2023:2100
• https://access.redhat.com/security/cve/cve-2022-37866
• https://lists.apache.org/thread/htxbr8oc464hxrgroftnz3my70whk93b
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS/
• https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2154282
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS/

Parent vulnerabilities

(Appears in the following advisories)

• RHSA-2023:2100

Frequently Asked Questions

• What is the vulnerability ID?

  The vulnerability ID for this flaw is CVE-2022-37866.

• What is the severity of CVE-2022-37866?

  CVE-2022-37866 has a severity score of 7.5 (High).

• What is the affected software?

  The affected software includes Apache Ivy version up to but not including 2.5.1.

• How can an attacker exploit CVE-2022-37866?

  An attacker can exploit CVE-2022-37866 by using '../' sequences in the artifact coordinates when downloading artifacts from a repository, which allows them to place artifacts inside and outside of the intended storage directory.

• Is there a fix available for CVE-2022-37866?

  Yes, the fix for CVE-2022-37866 is to upgrade to Apache Ivy version 2.5.1.