CVE-2022-46751

CVSS 3.1 Score 8.2 of 10 (high)

Details

Published Aug 21, 2023
Updated: Sep 6, 2023
CWE ID 611
CWE ID 91

Summary

CVE-2022-46751 is an XML External Entity Reference (XXE) vulnerability affecting Apache Ivy before version 2.5.2. This issue allows an attacker to inject XML code, leading to unintended data exfiltration, resource access, or execution disruption. APACHE Ivy, when processing XML files, will inadvertently download external Document Type Definitions (DTDs) and expand entity references within them. This can result in severe consequences, such as data leakage or system manipulation. To mitigate the risk, Apache Ivy 2.5.2 disables DTD processing by default for all files except Maven POMs. Newly introduced system properties offer greater flexibility for controlled access to external DTDs, if necessary. Prior to version 2.5.2, users could apply Java system properties to restrict DTD processing and minimize the risk of XXE attacks.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • Apache Ivy

Affected Vendors

  • Apache Software Foundation