{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-46751", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2022-12-07T12:23:31.486Z", "datePublished": "2023-08-21T06:55:00.181Z", "dateUpdated": "2025-02-13T16:33:53.044Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Ivy", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.5.1", "status": "affected", "version": "1.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "CC Bomber, Kitri BoB"}, {"lang": "en", "type": "reporter", "value": "Jenkins Security Team"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.<p>This issue affects any version of Apache Ivy prior to 2.5.2.</p><p>When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.</p><p>This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.</p><p>Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.<br></p><p>Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about \"JAXP Properties for External Access restrictions\" inside Oracle's \"Java API for XML Processing (JAXP) Security Guide\".<br></p>"}], "value": "Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.\n\nWhen Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.\n\nThis can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.\n\nStarting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.\n\nUsers of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about \"JAXP Properties for External Access restrictions\" inside Oracle's \"Java API for XML Processing (JAXP) Security Guide\"."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-91", "description": "CWE-91 XML Injection (aka Blind XPath Injection)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-09-06T14:06:11.958Z"}, "references": [{"tags": ["mitigation"], "url": "https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477"}, {"tags": ["patch"], "url": "https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d"}, {"tags": ["release-notes"], "url": "https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/06/9"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2022-11-30T17:54:00.000Z", "value": "reported to the ASF security team"}, {"lang": "en", "time": "2023-08-20T21:00:00.000Z", "value": "made public"}], "title": "Apache Ivy: XML External Entity vulnerability in Apache Ivy", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:39:38.282Z"}, "title": "CVE Program Container", "references": [{"tags": ["mitigation", "x_transferred"], "url": "https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477"}, {"tags": ["patch", "x_transferred"], "url": "https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d"}, {"tags": ["release-notes", "x_transferred"], "url": "https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/06/9", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "apache", "product": "ivy", "cpes": ["cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.0.0", "status": "affected", "lessThanOrEqual": "2.5.1", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-27T20:07:17.726856Z", "id": "CVE-2022-46751", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-27T20:27:38.791Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477", "tags": ["mitigation", "x_transferred"]}, {"url": "https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d", "tags": ["patch", "x_transferred"]}, {"url": "https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr", "tags": ["release-notes", "x_transferred"]}, {"url": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/06/9", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:39:38.282Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-46751", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-27T20:07:17.726856Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "ivy", "versions": [{"status": "affected", "version": "1.0.0", "versionType": "custom", "lessThanOrEqual": "2.5.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-27T20:27:26.661Z"}}], "cna": {"title": "Apache Ivy: XML External Entity vulnerability in Apache Ivy", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "CC Bomber, Kitri BoB"}, {"lang": "en", "type": "reporter", "value": "Jenkins Security Team"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Ivy", "versions": [{"status": "affected", "version": "1.0.0", "versionType": "semver", "lessThanOrEqual": "2.5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2022-11-30T17:54:00.000Z", "value": "reported to the ASF security team"}, {"lang": "en", "time": "2023-08-20T21:00:00.000Z", "value": "made public"}], "references": [{"url": "https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477", "tags": ["mitigation"]}, {"url": "https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d", "tags": ["patch"]}, {"url": "https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr", "tags": ["release-notes"]}, {"url": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/06/9"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.\n\nWhen Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.\n\nThis can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.\n\nStarting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.\n\nUsers of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about \"JAXP Properties for External Access restrictions\" inside Oracle's \"Java API for XML Processing (JAXP) Security Guide\".", "supportingMedia": [{"type": "text/html", "value": "Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.<p>This issue affects any version of Apache Ivy prior to 2.5.2.</p><p>When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.</p><p>This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.</p><p>Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.<br></p><p>Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about \"JAXP Properties for External Access restrictions\" inside Oracle's \"Java API for XML Processing (JAXP) Security Guide\".<br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-91", "description": "CWE-91 XML Injection (aka Blind XPath Injection)"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-09-06T14:06:11.958Z"}}}, "cveMetadata": {"cveId": "CVE-2022-46751", "state": "PUBLISHED", "dateUpdated": "2025-02-13T16:33:53.044Z", "dateReserved": "2022-12-07T12:23:31.486Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-08-21T06:55:00.181Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:*", "matchCriteriaId": "9859B6AC-BC83-4555-AA73-4568233DDA2D", "versionEndExcluding": "2.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.\n\nWhen Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.\n\nThis can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.\n\nStarting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.\n\nUsers of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about \"JAXP Properties for External Access restrictions\" inside Oracle's \"Java API for XML Processing (JAXP) Security Guide\"."}], "id": "CVE-2022-46751", "lastModified": "2025-02-13T17:15:48.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-08-21T07:15:33.740", "references": [{"source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-91"}, {"lang": "en", "value": "CWE-611"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el8", "package": "mta/mta-rhel8-operator:6.2.2-3", "product_name": "MTA-6.2-RHEL-8", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-hub-rhel9:6.2.2-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-operator-bundle:6.2.2-5", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-pathfinder-rhel9:6.2.2-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-ui-rhel9:6.2.2-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-windup-addon-rhel9:6.2.2-3", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:0720", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "apache-ivy", "product_name": "MTR 1.2.4", "release_date": "2024-02-07T00:00:00Z"}, {"advisory": "RHSA-2023:7678", "cpe": "cpe:/a:redhat:amq_streams:2", "package": "apache-ivy", "product_name": "Red Hat AMQ Streams 2.6.0", "release_date": "2023-12-06T00:00:00Z"}, {"advisory": "RHSA-2023:5441", "cpe": "cpe:/a:redhat:camel_spring_boot:4.0.0", "package": "apache-ivy", "product_name": "RHINT Camel-Springboot 4.0.0", "release_date": "2023-10-04T00:00:00Z"}], "bugzilla": {"description": "apache-ivy: XML External Entity vulnerability", "id": "2233112", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233112"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "status": "verified"}, "cwe": "(CWE-611|CWE-91)", "details": ["Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.\nWhen Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.\nThis can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.\nStarting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.\nUsers of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about \"JAXP Properties for External Access restrictions\" inside Oracle's \"Java API for XML Processing (JAXP) Security Guide\"."], "name": "CVE-2022-46751", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "apache-ivy", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "apache-ivy", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "apache-ivy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "apache-ivy", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "apache-ivy", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "apache-ivy", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-maven36-apache-ivy", "product_name": "Red Hat Software Collections"}], "public_date": "2023-08-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-46751\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-46751\nhttps://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8"], "threat_severity": "Moderate", "upstream_fix": "apache-ivy 2.5.2"}