CVE-2022-37865
Public on 2022-11-07
Modified on 2024-02-12
Description
A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious user to have unwanted access. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | apache-ivy | Not Affected | ||
| Amazon Linux 2 - Core | apache-ivy | Not Affected | ||
| Amazon Linux 2023 | apache-ivy | 2023-04-27 | ALAS2023-2023-174 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L |
| NVD | CVSSv3 | 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |