CVE-2022-37866

HIGH

Apache Ivy 2.0.0-2.5.1 - Path Traversal via Artifact Coordinate Placeholders

Title source: llm

Description

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characters for Ivy coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or repository or can overwrite different artifacts inside of the local cache. In order to exploit this vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests containing ".." sequences and a "normal" repository will not interpret them as part of the artifact coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1.

References (2)

Core 2

Core References

Mailing List, Vendor Advisory

https://lists.apache.org/thread/htxbr8oc464hxrgroftnz3my70whk93b

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDIFDL5WSBEKBUVKTABUFDDD25SBNJLS/

Scores

CVSS v3 7.5

EPSS 0.0104

EPSS Percentile 77.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

apache/ivy 2.0.0 - 2.5.1

org.apache.ivy/ivy 2.0.0 - 2.5.1Maven

Published Nov 07, 2022

Tracked Since Feb 18, 2026