A blind XPath injection vulnerability has been uncovered in Apache Ivy, a component of the Apache Software Foundation, which permits malicious actors to surreptitiously retrieve sensitive data that is normally restricted to the host running Apache Ivy.
This security flaw is present in versions prior to 2.5.2 and occurs during the parsing of XML files when processing its own configuration as well as Maven POMs (Project Object Models). It allows for the downloading of external documents and the expansion of entity references.
Exploiting this Blind XPath injection vulnerability provides threat actors with various avenues for manipulating or executing Ivy and gaining access to sensitive information residing on the host. This vulnerability arises from the improper handling of XML External Entity references.
Apache Ivy is a dependency manager used for resolving project dependencies and is an integral part of the Apache Ant project. It utilizes an XML file to define project dependencies and list the essential resources needed for project construction.
This vulnerability has been assigned CVE-2022-46751, with the CVSS score yet to be confirmed.
To mitigate this issue, Apache has released version 2.5.2 of Apache Ivy. In this release, DTD (Document Type Definition) processing is disabled by default for all files except Maven POMs, where only a DTD snippet necessary for dealing with existing Maven POMs can be included. It’s important to note that these DTD snippets are not valid XML files but are accepted by Maven POMs.
Apache Ivy, originating from the Apache Tomcat Project in 2000, plays a key role in automating software build processes.
Users are strongly advised to upgrade to Apache Ivy version 2.5.2 to safeguard against the exploitation of this vulnerability. Alternatively, Java system properties can be employed to restrict the processing of external DTDs.