SCA: security update for org.apache.ivy:ivy (GHSA-2jc4-r94c-rp7h)

high Tenable Self-Hosted Container Security Plugin ID 408958

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection)
vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior
to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or
Apache Maven POMs - it will allow downloading external document type definitions and expand any entity
references contained therein when used. This can be used to exfiltrate data, access resources only the
machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy
2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow
DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing
Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more
lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use
Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for
External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
(CVE-2022-46751)

See Also

https://github.com/advisories/GHSA-2jc4-r94c-rp7h

Plugin Details

Severity: High

ID: 408958

Version: Revision 1.17

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.93

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:P

CVSS Score Source: CVE-2022-46751

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.8

Threat Score: 6.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/21/2023

Vulnerability Publication Date: 8/21/2023

Reference Information

CVE: CVE-2022-46751