Saturday, July 13, 2024

Apache Ivy Injection Flaw Let Attackers Exfiltrate Sensitive Data

A blind XPath injection vulnerability was discovered in Apache Software Foundation Apache Ivy, which allows threat actors to exfiltrate data and access sensitive information that is restricted to only the machine that runs Apache Ivy.

This vulnerability exists in the parsing of XML files in versions lesser than 2.5.2 while parsing its own configuration, Maven POMs (Project Object Models), which allows external document downloading and expansion of any entity references.

Threat actors can exploit this Blind XPath injection vulnerability to manipulate or execute the Ivy in different ways or access sensitive information inside the machine. This vulnerability is due to improper restriction of XML External Entity reference.

It is a dependency manager which resolves project dependencies and is a part of the Apache Ant project. It uses an XML file for defining project dependencies to list the necessary resources to build a project.

The CVE ID for this vulnerability has been given as CVE-2022-46751, and the CVSS score is yet to be confirmed.

Apache Ivy 2.5.2 version released

Prior to Apache Ivy version 2.5.2, Apache Ivy has DTD processing by default while parsing Maven POMs and other files.

However, as part of fixing the bug, Apache has released Apache Ivy version 2.5.2, which disables DTD (Document Type Definition) processing for all the files excluding Maven POMs, which allows only a DTD snippet to be included that is used for dealing with existing Maven POMs.

These are not valid XML files but are accepted by Maven POMs. Apache Ivy is a part of the Apache Ant project that specializes in automating software build processes which originated from the Apache Tomcat Project 2000.

Users are recommended to upgrade to the latest version of Apache Ivy 2.5.2 to prevent this vulnerability from getting exploited. As an alternative, Java system properties can be used to restrict the processing of external DTDs.

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles