[jira] [Updated] (ATLAS-4800) Atlas - Upgrade Apache Ivy to 2.5.2 due to CVE-2022-46751

Wed, 11 Oct 2023 11:25:14 -0700 


     [ 
https://issues.apache.org/jira/browse/ATLAS-4800?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Disha Talreja updated ATLAS-4800:
---------------------------------
    Description: 
Upgrade Apache Ivy to 2.5.2 due to CVE-2022-46751

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind 
XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This 
issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior 
to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache 
Maven POMs - it will allow downloading external document type definitions and 
expand any entity references contained therein when used. This can be used to 
exfiltrate data, access resources only the machine running Ivy has access to or 
disturb the execution of Ivy in different ways. 

CVSSv3 Score:- 8.2(High)

[https://nvd.nist.gov/vuln/detail/CVE-2022-46751]

> Atlas - Upgrade Apache Ivy to 2.5.2 due to CVE-2022-46751
> ---------------------------------------------------------
>
>                 Key: ATLAS-4800
>                 URL: https://issues.apache.org/jira/browse/ATLAS-4800
>             Project: Atlas
>          Issue Type: Task
>          Components:  atlas-core
>            Reporter: Disha Talreja
>            Assignee: Disha Talreja
>            Priority: Major
>
> Upgrade Apache Ivy to 2.5.2 due to CVE-2022-46751
> Improper Restriction of XML External Entity Reference, XML Injection (aka 
> Blind XPath Injection) vulnerability in Apache Software Foundation Apache 
> Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache 
> Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files 
> or Apache Maven POMs - it will allow downloading external document type 
> definitions and expand any entity references contained therein when used. 
> This can be used to exfiltrate data, access resources only the machine 
> running Ivy has access to or disturb the execution of Ivy in different ways. 
> CVSSv3 Score:- 8.2(High)
> [https://nvd.nist.gov/vuln/detail/CVE-2022-46751]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to