CVE-2022-46751
Improper Restriction of XML External Entity Reference vulnerability in ivy (Maven)
What is CVE-2022-46751 About?
This is an XML External Entity (XXE) and XML Injection (Blind XPath Injection) vulnerability in Apache Ivy, prior to version 2.5.2. It allows attackers to exfiltrate data, access internal resources, or disrupt application execution. Exploitation requires sending malicious XML which is processed by the vulnerable Ivy instance.
Affected Software
Technical Details
The vulnerability in Apache Ivy (versions prior to 2.5.2) stems from improper restriction of XML External Entity References and is also an XML Injection (Blind XPath Injection). When Apache Ivy parses XML files, including its own configurations, Ivy files, or Apache Maven POMs, it is configured to allow the downloading of external Document Type Definitions (DTDs) and to expand any entity references within them. An attacker can craft a malicious XML input that includes external entity declarations pointing to attacker-controlled resources or internal system files. When Ivy processes this XML, it will attempt to resolve these external entities, which can lead to various attacks. This mechanism allows for data exfiltration by directing the external entity to a server controlled by the attacker, accessing resources on the internal network that the machine running Ivy has access to (SSRF-like functionality), or disrupting the application's execution through malformed DTDs or excessive resource consumption.
What is the Impact of CVE-2022-46751?
Successful exploitation may allow attackers to exfiltrate sensitive data from the system, access internal network resources, induce denial-of-service conditions, or execute arbitrary code depending on the system configuration and parsed resources.
What is the Exploitability of CVE-2022-46751?
Exploitation of this XXE/XML Injection vulnerability typically involves moderate complexity, requiring the attacker to understand XML structure and external entity references. An attacker needs to provide specially crafted XML input to an application that uses a vulnerable version of Apache Ivy for parsing. Authentication requirements depend on whether the XML parsing functionality is accessible to unauthenticated users; if it is, no authentication is needed. Privilege requirements are generally low, as the vulnerability affects the application's parsing logic itself. Exploitation is remote, as the attacker sends malicious XML over the network. Special conditions include the application's reliance on Apache Ivy for XML parsing, and the processing of untrusted XML input. The likelihood of exploitation increases if the application publicly exposes endpoints that accept XML input that is subsequently parsed by Ivy.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-46751?
Available Upgrade Options
- org.apache.ivy:ivy
- <2.5.2 → Upgrade to 2.5.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8
- https://osv.dev/vulnerability/GHSA-2jc4-r94c-rp7h
- http://www.openwall.com/lists/oss-security/2023/09/06/9
- https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477
- https://github.com/apache/ant-ivy/commit/2be17bc18b0e1d4123007d579e43ba1a4b6fab3d
- https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8
- https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d
- https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr
- https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d
- https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr
What are Similar Vulnerabilities to CVE-2022-46751?
Similar Vulnerabilities: CVE-2017-1000486 , CVE-2018-11784 , CVE-2017-15707 , CVE-2019-12270 , CVE-2021-38297
