Focus on source code security, collect the latest information at home and abroad!
Compile: Code Guard
A blind XPath injection vulnerability exists in Apache Ivy that could allow an attacker to extract data and access sensitive information restricted to machines running Apache Ivy.
The vulnerability resides in Apache Ivy versions below 2.5.2 and is triggered when parsing XML files while parsing its own configuration Maven POMs, resulting in external document downloads and expansion of any entity references. Threat actors could exploit this blind XPath injection vulnerability to manipulate and execute Ivy in different ways or access sensitive information on the machine. The vulnerability is caused by improper restrictions on XML external entity references.
Apache Ivy is a dependency manager that is responsible for resolving project dependencies and is part of the Apache Ant project. It defines project dependencies by using an XML file that lists the necessary resources to build the project. The CVE number of this vulnerability is CVE-2022-46751, and the CVSS score has not yet been given.
Apache Ivy 2.5.2 Released
Prior to Apache Ivy version 2.5.2, Apache Ivy did DTD processing when parsing Maven POMs and other files. However, the newly released version 2.5.2 of Apache Ivy has disabled DTD processing for all files except Maven POMs, allowing only DTD fragments for processing existing Maven POMs to be included.
They are not legal XML files but accepted by Maven POMs. Apache Ivy is part of the Apache Ant project responsible for automating the 2000 software build process from the Apache Tomcat project.
Users are advised to upgrade to the latest version of Apache Ivy 2.5.2 to prevent exploitation of the vulnerability. Or users can use Java system properties to limit the processing of external DTDs.
Code Guard Trial Address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
recommended reading
Unpatched Apache Tomcat Server Spreads Mirai Botnet Malware
Critical RCE Vulnerability in Apache Jackrabbit
【Reproduced】Apache Kafka Connect JNDI Injection Vulnerability (CVE-2023-25194) Security Risk Notice
Online reading version: "2023 China Software Supply Chain Security Analysis Report" full text
Original link
https://gbhackers.com/apache-ivy-injection-flaw/
Title image: Pexels License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qi Anxin Code Guard https://codesafe.qianxin.com".
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you feel good, just click "Looking" or "Like"~