org.apache.ivy:ivy@2.4.0 vulnerabilities

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. When Apache Ivy parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.

Upgrade org.apache.ivy:ivy to version 2.5.2 or higher.

Affected versions of this package are vulnerable to Directory Traversal in the IvyPatternHelper class, which does not strip out .. sequences from artifact coordinate patterns. This allows an attacker in control of the remote repository to access artifacts in locations outside the local cache or overwrite artifacts in the local cache.

Upgrade org.apache.ivy:ivy to version 2.5.1 or higher.

Affected versions of this package are vulnerable to Directory Traversal due to missing verification of the target path when extracting the archive using the zip, jar or war packaging. An archive containing absolute paths or paths that try to traverse upwards using .. sequences can write files to any location on the local fie system that the user executing Ivy has write access to.

Upgrade org.apache.ivy:ivy to version 2.5.1 or higher.