CVE-2022-46751

CWE-91CWE-611XML External Entity (XXE)8 documents7 sources
Severity
8.2HIGH
EPSS
0.2%
top 62.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache IVYApache Software Foundation Apache IVY
Timeline
PublishedAug 21
Latest updateNov 13

Description

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resou

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:LExploitability: 3.9 | Impact: 4.2

Affected Packages3 packages

CVEListV5apache_software_foundation/apache_ivy1.0.02.5.1
NVDapache/ivy< 2.5.2
Mavenorg.apache.ivy:ivy< 2.5.2

🔴Vulnerability Details

3
OSV
Apache Ivy External Entity Reference vulnerability2023-08-21
CVEList
Apache Ivy: XML External Entity vulnerability in Apache Ivy2023-08-21
GHSA
Apache Ivy External Entity Reference vulnerability2023-08-21

📋Vendor Advisories

4
Jenkins
Jenkins Security Advisory 2024-11-132024-11-13
Oracle
Oracle Oracle Communications Risk Matrix: ATS Framework (Apache Ivy) — CVE-2022-467512024-01-15
Jenkins
Jenkins Security Advisory 2023-09-062023-09-06
Red Hat
apache-ivy: XML External Entity vulnerability2023-08-20
CVE-2022-46751 (HIGH CVSS 8.2) | Improper Restriction of XML Externa | cvebase.io