{"schema_version": "1.6.1", "id": "CVE-2022-37866", "summary": "Apache Ivy allows path traversal in the presence of a malicious repository", "details": "When Apache Ivy downloads artifacts from a repository it stores them in\nthe local file system based on a user-supplied \"pattern\" that may\ninclude placeholders for artifacts coordinates like the organisation,\nmodule or version.\n\nIf said coordinates contain \"../\" sequences - which are valid characters\nfor Ivy coordinates in general - it is possible the artifacts are stored\noutside of Ivy's local cache or repository or can overwrite different\nartifacts inside of the local cache.\n\nIn order to exploit this vulnerability an attacker needs collaboration\nby the remote repository as Ivy will issue http requests containing \"..\"\nsequences and a \"normal\" repository will not interpret them as part of\nthe artifact coordinates.\n\nUsers of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "2.0.0"}, {"fixed": "*"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread/htxbr8oc464hxrgroftnz3my70whk93b"}]}