{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-37865", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2023-07-04T00:00:00", "dateReserved": "2022-08-08T00:00:00", "datePublished": "2022-11-07T00:00:00"}, "containers": {"cna": {"title": "Apache Ivy allows creating/overwriting any file on the system", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-07-04T00:00:00"}, "descriptions": [{"lang": "en", "value": "With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the \"zip\", \"jar\" or \"war\" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse \"upwards\" using \"..\" sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Ivy", "versions": [{"version": "2.4.0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "2.5.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy"}, {"name": "FEDORA-2023-35f775fd6e", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS/"}], "credits": [{"lang": "en", "value": "This issue was discovered by Kostya Kortchinsky of the Databricks Security Team."}], "metrics": [{"other": {"type": "unknown", "content": {"other": "medium"}}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "allow create/overwrite any file on the syste"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:*", "matchCriteriaId": "904C5D5E-A06E-4BBF-BE87-E7CA460C19CD", "versionEndExcluding": "2.5.1", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the \"zip\", \"jar\" or \"war\" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse \"upwards\" using \"..\" sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1."}, {"lang": "es", "value": "Con Apache Ivy 2.4.0 se introdujo un atributo de empaquetado opcional que permite descomprimir los artefactos sobre la marcha si usaron embalaje pack200 o zip. Para los artefactos que utilizan el paquete \"zip\", \"jar\" o \"war\", Ivy anterior a 2.5.1 no verifica la ruta de destino al extraer el archivo. Un archivo que contiene rutas absolutas o intentos de path traversal \"upwards\" using\" usando secuencias \"..\" puede luego escribir archivos en cualquier ubicaci\u00f3n del sistema de archivos local a la que el usuario que ejecuta Ivy tenga acceso de escritura. Los usuarios de Ivy de la versi\u00f3n 2.4.0 a 2.5.0 deben actualizar a Ivy 2.5.1."}], "id": "CVE-2022-37865", "lastModified": "2023-11-07T03:49:53.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-07T11:15:10.043", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}