Re: CVE-2022-37865: Apache Ivy allow create/overwrite any file on the system

[Demi Marie Obenour <demi () invisiblethingslab com>]

On Fri, Nov 04, 2022 at 12:06:48PM +0100, Stefan Bodewig wrote:
> Severity: medium
>
> Description:
>
> With Apache Ivy 2.4.0 an optional packaging attribute has been
> introduced that allows artifacts to be unpacked on the fly if they used
> pack200 or zip packaging.
>
> For artifacts using the "zip", "jar" or "war" packaging Ivy prior to
> 2.5.1 doesn't verify the target path when extracting the archive. An
> archive containing absolute paths or paths that try to traverse
> "upwards" using ".." sequences can then write files to any location on
> the local fie system that the user executing Ivy has write access to.
>
> Mitigation:
>
> Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.
>
> Credit:
>
> This issue was discovered by Kostya Kortchinsky of the Databricks Security Team.

FYI, you might want to rotate your OpenPGP key, or at least use a newer
hash algorithm.  The signature I got uses SHA-1 which is no longer
considered secure.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: