CVE-2022-46751
CVSS 3.1 Score 8.2 of 10 (high)
Details
Summary
CVE-2022-46751 is an XML External Entity Reference (XXE) vulnerability affecting Apache Ivy before version 2.5.2. This issue allows an attacker to inject XML code, leading to unintended data exfiltration, resource access, or execution disruption. APACHE Ivy, when processing XML files, will inadvertently download external Document Type Definitions (DTDs) and expand entity references within them. This can result in severe consequences, such as data leakage or system manipulation. To mitigate the risk, Apache Ivy 2.5.2 disables DTD processing by default for all files except Maven POMs. Newly introduced system properties offer greater flexibility for controlled access to external DTDs, if necessary. Prior to version 2.5.2, users could apply Java system properties to restrict DTD processing and minimize the risk of XXE attacks.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Apache Ivy
Affected Vendors
- Apache Software Foundation