CVE-2022-46751
Detail
Modified After Enrichment
This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.
Current Description
Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
View Analysis Description
Analysis
Description
Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
Metrics
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
CVSS 4.0 Severity and Vector Strings:
NVD assessment
not yet provided.
CVSS 3.x Severity and Vector Strings:
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
CVSS 2.0 Severity and Vector Strings:
Base
Score:
NVD assessment
not yet provided.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected].
Weakness Enumeration
| CWE-ID |
CWE Name |
Source |
|
CWE-91
|
XML Injection (aka Blind XPath Injection) |
Apache Software Foundation
|
|
CWE-611
|
Improper Restriction of XML External Entity Reference |
Apache Software Foundation
|
Change History
8 change records found show changes
CVE Modified by CISA-ADP
6/17/2026 1:12:19 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Affected |
[{"vendor":"apache","product":"ivy","defaultStatus":"unknown","cpes":["cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:*"],"versions":[{"version":"1.0.0","lessThanOrEqual":"2.5.1","versionType":"custom","status":"affected"}]}]
|
| Added |
SSVC |
{"timestamp":"2024-09-27T20:07:17.726856Z","id":"CVE-2022-46751","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}
|
CVE Modified by Apache Software Foundation
6/17/2026 1:12:19 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Affected |
[{"vendor":"Apache Software Foundation","product":"Apache Ivy","defaultStatus":"unaffected","versions":[{"version":"1.0.0","lessThanOrEqual":"2.5.1","versionType":"semver","status":"affected"}]}]
|
CVE Modified by Apache Software Foundation
2/13/2025 12:15:48 PM
| Action |
Type |
Old Value |
New Value |
| Changed |
Description |
Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
|
Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
|
CVE Modified by CVE
11/21/2024 2:31:00 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
http://www.openwall.com/lists/oss-security/2023/09/06/9
|
| Added |
Reference |
https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477
|
| Added |
Reference |
https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d
|
| Added |
Reference |
https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8
|
| Added |
Reference |
https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr
|
CVE Modified by CISA-ADP
9/27/2024 5:35:01 PM
| Action |
Type |
Old Value |
New Value |
| Added |
CVSS V3.1 |
CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
|
CVE Modified by Apache Software Foundation
5/14/2024 7:46:45 AM
| Action |
Type |
Old Value |
New Value |
CVE Modified by Apache Software Foundation
9/06/2023 11:15:15 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
http://www.openwall.com/lists/oss-security/2023/09/06/9 [No Types Assigned]
|
Initial Analysis by NIST
8/31/2023 12:20:28 PM
| Action |
Type |
Old Value |
New Value |
| Added |
CVSS V3.1 |
NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
|
| Added |
CPE Configuration |
OR
*cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:* versions up to (excluding) 2.5.2
|
| Changed |
Reference Type |
https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477 No Types Assigned
|
https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477 Third Party Advisory
|
| Changed |
Reference Type |
https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d No Types Assigned
|
https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d Vendor Advisory
|
| Changed |
Reference Type |
https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8 No Types Assigned
|
https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8 Mailing List, Vendor Advisory
|
| Changed |
Reference Type |
https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr No Types Assigned
|
https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr Mailing List, Vendor Advisory
|
Quick Info
CVE Dictionary Entry: CVE-2022-46751 NVD
Published Date: 08/21/2023 NVD
Last Modified: 06/17/2026
Source: Apache Software Foundation
|
