CVE-2022-37865

CRITICAL

Apache Ivy 2.4.0-2.5.0 - Path Traversal and Arbitrary File Write via Archive Extraction

Title source: llm

Description

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse "upwards" using ".." sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.

References (2)

Core 2

Core References

Mailing List, Vendor Advisory

https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS/

Scores

CVSS v3 9.1

EPSS 0.0048

EPSS Percentile 65.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-22

Status published

Products (2)

apache/ivy 2.4.0 - 2.5.1

org.apache.ivy/ivy 2.4.0 - 2.5.1Maven

Published Nov 07, 2022

Tracked Since Feb 18, 2026