CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS
Percentile
47.7%
With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used
pack200 or zip packaging.
For artifacts using the โzipโ, โjarโ or โwarโ packaging Ivy prior to version 2.5.1 doesnโt verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse โupwardsโ using โโฆโ sequences can then write files to any location on
the local fie system that the user executing Ivy has write access to.
Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy version 2.5.1.
Vendor | Product | Version | CPE |
---|---|---|---|
org.apache.ivy | ivy | * | cpe:2.3:a:org.apache.ivy:ivy:*:*:*:*:*:*:*:* |