[ https://issues.apache.org/jira/browse/ATLAS-4800?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17782265#comment-17782265 ]
ASF subversion and git services commented on ATLAS-4800: -------------------------------------------------------- Commit 7e1286266ebd876c78d9130e057e25d58ebed052 in atlas's branch refs/heads/master from Disha Talreja [ https://gitbox.apache.org/repos/asf?p=atlas.git;h=7e1286266 ] ATLAS-4800: Atlas - Upgrade Apache Ivy to 2.5.2 due to CVE-2022-46751 Signed-off-by: radhikakundam <radhikakun...@apache.org> > Atlas - Upgrade Apache Ivy to 2.5.2 due to CVE-2022-46751 > --------------------------------------------------------- > > Key: ATLAS-4800 > URL: https://issues.apache.org/jira/browse/ATLAS-4800 > Project: Atlas > Issue Type: Task > Components: atlas-core > Reporter: Disha Talreja > Assignee: Disha Talreja > Priority: Major > Attachments: ATLAS-4800.patch > > > Upgrade Apache Ivy to 2.5.2 due to CVE-2022-46751 > Improper Restriction of XML External Entity Reference, XML Injection (aka > Blind XPath Injection) vulnerability in Apache Software Foundation Apache > Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache > Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files > or Apache Maven POMs - it will allow downloading external document type > definitions and expand any entity references contained therein when used. > This can be used to exfiltrate data, access resources only the machine > running Ivy has access to or disturb the execution of Ivy in different ways. > CVSSv3 Score:- 8.2(High) > [https://nvd.nist.gov/vuln/detail/CVE-2022-46751] -- This message was sent by Atlassian Jira (v8.20.10#820010)