Bug 2182188 (CVE-2022-37865)

Summary: CVE-2022-37865 apache-ivy: Directory Traversal
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drichtar, fjuma, fmongiar, gmalinko, hbraun, hhorak, ivassile, iweiss, janstey, jnethert, jorton, jpavlik, jpoth, jross, lgao, lthon, mizdebsk, mokumar, mosmerov, msochure, msvehla, nwallace, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, pskopek, rjohnson, rowaters, rruss, rstancel, smaestri, sthorger, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Apache Ivy 2.5.1 Doc Type: ---
Doc Text:
A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious used to have unwanted access.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-03 19:49:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2182189, 2182260, 2182261, 2182262, 2182263    
Bug Blocks: 2140156    

Description Patrick Del Bello 2023-03-27 20:12:51 UTC 
With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse "upwards" using ".." sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.

https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy
Comment 1 Patrick Del Bello 2023-03-27 20:13:15 UTC 
Created apache-ivy tracking bugs for this issue:

Affects: fedora-all [bug 2182189]
Comment 5 errata-xmlrpc 2023-05-03 14:07:13 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
Comment 6 Product Security DevOps Team 2023-05-03 19:49:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-37865