Security Tracking Issue

Do not make this issue public.

Impact: Moderate
Reported Date: 01-Dec-2022
PM Fix/Wontfix Decision By: 31-Dec-2022
Resolve Bug By: 30-May-2023

In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then. Remember to explicitly set CLOSED:WONTFIX if you decide not to fix this bug.

Please review this tracker and its impact on your product or service, as soon as possible. The trackers are filed WITHOUT in-depth analysis as the vulnerability has a Low or Moderate severity impact on this product or service. For more details, please refer to following confluence page - https://docs.engineering.redhat.com/x/3e_3EQ

Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9kKpDw

Flaw:

CVE-2022-37866 : Apache Ivy: Ivy Path traversal
https://bugzilla.redhat.com/show_bug.cgi?id=2150011

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characters for Ivy coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or repository or can overwrite different artifacts inside of the local cache. In order to exploit this vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests containing ".." sequences and a "normal" repository will not interpret them as part of the artifact coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1.