CVE-2022-46751: Apache Ivy XML External Entity Injections Vulnerability
Apache Ivy is a popular dependency manager used by many software projects. However, a vulnerability -CVE-2022-46751- in Ivy prior to version 2.5.2 could allow an attacker to inject malicious code into Ivy’s processing of XML files. This could be used to exfiltrate data, access resources only the machine running Ivy has access to, or disturb the execution of Ivy in different ways.
The vulnerability occurs because Ivy allows the processing of external document type definitions (DTDs) when parsing XML files. A DTD is a file that defines the structure of an XML document. An attacker could create a malicious DTD that contains a reference to an external file. When Ivy parses the XML file, it will download the external file and expand any entity references contained therein. To put it simply, the CVE-2022-46751 flaw let attackers to
- Exfiltrate sensitive data.
- Access exclusive resources that only the host machine running Ivy might be privy to.
- Interrupt or derail Ivy’s standard operations.
Recognizing the gravity of the situation, the team behind Apache Ivy introduced significant modifications in version 2.5.2. One of the most notable changes is the disabled DTD processing by default.
“Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be made more lenient via newly introduced system properties where needed,” read the security advisory.
For those still using Ivy versions predating 2.5.2, you can safeguard yourself from this vulnerability by leveraging Java system properties to restrict the processing of external DTDs. However, the wisest course of action would be to update to the latest version and benefit from the enhanced security measures.