org.apache.ivy:ivy@2.2.0-rc1 vulnerabilities

latest version

2.5.2
latest non vulnerable version

2.5.2
first published

17 years ago
latest version published

10 months ago
licenses detected
- Apache-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.ivy:ivy package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H XML External Entity (XXE) Injection Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. When Apache Ivy parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. How to fix XML External Entity (XXE) Injection? Upgrade `org.apache.ivy:ivy` to version 2.5.2 or higher.	[,2.5.2)
H Directory Traversal Affected versions of this package are vulnerable to Directory Traversal in the `IvyPatternHelper` class, which does not strip out `..` sequences from artifact coordinate patterns. This allows an attacker in control of the remote repository to access artifacts in locations outside the local cache or overwrite artifacts in the local cache. How to fix Directory Traversal? Upgrade `org.apache.ivy:ivy` to version 2.5.1 or higher.	[2.0.0,2.5.1)

XML External Entity (XXE) Injection

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. When Apache Ivy parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.ivy:ivy to version 2.5.2 or higher.

[,2.5.2)

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal in the IvyPatternHelper class, which does not strip out .. sequences from artifact coordinate patterns. This allows an attacker in control of the remote repository to access artifacts in locations outside the local cache or overwrite artifacts in the local cache.

How to fix Directory Traversal?

Upgrade org.apache.ivy:ivy to version 2.5.1 or higher.

[2.0.0,2.5.1)

Go back to all versions of this package

org.apache.ivy:ivy@2.2.0-rc1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities