org.apache.ivy:ivy 2.4.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.ivy:ivy package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H XML External Entity (XXE) Injection Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. When Apache Ivy parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. How to fix XML External Entity (XXE) Injection? Upgrade `org.apache.ivy:ivy` to version 2.5.2 or higher.	[,2.5.2)
H Directory Traversal Affected versions of this package are vulnerable to Directory Traversal in the `IvyPatternHelper` class, which does not strip out `..` sequences from artifact coordinate patterns. This allows an attacker in control of the remote repository to access artifacts in locations outside the local cache or overwrite artifacts in the local cache. How to fix Directory Traversal? Upgrade `org.apache.ivy:ivy` to version 2.5.1 or higher.	[2.0.0,2.5.1)
H Directory Traversal Affected versions of this package are vulnerable to Directory Traversal due to missing verification of the target path when extracting the archive using the `zip`, `jar` or `war` packaging. An archive containing absolute paths or paths that try to traverse upwards using `..` sequences can write files to any location on the local fie system that the user executing Ivy has write access to. How to fix Directory Traversal? Upgrade `org.apache.ivy:ivy` to version 2.5.1 or higher.	[2.4.0,2.5.1)

Vulnerability

Vulnerable Version

XML External Entity (XXE) Injection

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. When Apache Ivy parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.ivy:ivy to version 2.5.2 or higher.

[,2.5.2)

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal in the IvyPatternHelper class, which does not strip out .. sequences from artifact coordinate patterns. This allows an attacker in control of the remote repository to access artifacts in locations outside the local cache or overwrite artifacts in the local cache.

How to fix Directory Traversal?

Upgrade org.apache.ivy:ivy to version 2.5.1 or higher.

[2.0.0,2.5.1)

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal due to missing verification of the target path when extracting the archive using the zip, jar or war packaging. An archive containing absolute paths or paths that try to traverse upwards using .. sequences can write files to any location on the local fie system that the user executing Ivy has write access to.

How to fix Directory Traversal?

Upgrade org.apache.ivy:ivy to version 2.5.1 or higher.

[2.4.0,2.5.1)

org.apache.ivy:ivy@2.4.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically