When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characters for Ivy coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or repository or can overwrite different artifacts inside of the local cache. In order to exploit this vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests containing ".." sequences and a "normal" repository will not interpret them as part of the artifact coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a     user-supplied pattern that may include placeholders for artifacts coordinates like the organisation,     module or version. If said coordinates contain ../ sequences - which are valid characters for Ivy     coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or     repository or can overwrite different artifacts inside of the local cache. In order to exploit this     vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests     containing .. sequences and a normal repository will not interpret them as part of the artifact     coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1. (CVE-2022-37866)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of apache-ivy installed on the remote host is prior to 2.2.0-5.3. It is, therefore, affected by a vulnerability as referenced in the ALAS-2024-1910 advisory.

    When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a     user-supplied pattern that may include placeholders for artifacts coordinates like the organisation,     module or version. If said coordinates contain ../ sequences - which are valid characters for Ivy     coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or     repository or can overwrite different artifacts inside of the local cache. In order to exploit this     vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests     containing .. sequences and a normal repository will not interpret them as part of the artifact     coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1. (CVE-2022-37866)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of apache-ivy installed on the remote host is prior to 2.3.0-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2023-2165 advisory.

    When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a     user-supplied pattern that may include placeholders for artifacts coordinates like the organisation,     module or version. If said coordinates contain ../ sequences - which are valid characters for Ivy     coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or     repository or can overwrite different artifacts inside of the local cache. In order to exploit this     vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests     containing .. sequences and a normal repository will not interpret them as part of the artifact     coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1. (CVE-2022-37866)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-35f775fd6e advisory.

    **Changelog**     ```
    * Sun Jun 25 2023 Didik Supriadi <didiksupriadi41@fedoraproject.org> - 2.5.1-3
    - Build with ivy instead of maven     ```

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-174 advisory.

    A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that     allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a     malicious user to have unwanted access. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.
    (CVE-2022-37865)

    When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a     user-supplied pattern that may include placeholders for artifacts coordinates like the organisation,     module or version. If said coordinates contain ../ sequences - which are valid characters for Ivy     coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or     repository or can overwrite different artifacts inside of the local cache. In order to exploit this     vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests     containing .. sequences and a normal repository will not interpret them as part of the artifact     coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1. (CVE-2022-37866)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
224816	Linux Distros Unpatched Vulnerability : CVE-2022-37866	Nessus	Misc.	high
189395	Amazon Linux AMI : apache-ivy (ALAS-2024-1910)	Nessus	Amazon Linux Local Security Checks	high
178826	Amazon Linux 2 : apache-ivy (ALAS-2023-2165)	Nessus	Amazon Linux Local Security Checks	high
177912	Fedora 38 : apache-ivy (2023-35f775fd6e)	Nessus	Fedora Local Security Checks	critical
175079	Amazon Linux 2023 : apache-ivy, apache-ivy-javadoc (ALAS2023-2023-174)	Nessus	Amazon Linux Local Security Checks	critical

Detections

Analytics

CVE-2022-37866

high

Tenable Plugins

high

high

high

critical

critical