[
https://issues.apache.org/jira/browse/ATLAS-4800?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17782265#comment-17782265
]
ASF subversion and git services commented on ATLAS-4800:
--------------------------------------------------------
Commit 7e1286266ebd876c78d9130e057e25d58ebed052 in atlas's branch
refs/heads/master from Disha Talreja
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=7e1286266 ]
ATLAS-4800: Atlas - Upgrade Apache Ivy to 2.5.2 due to CVE-2022-46751
Signed-off-by: radhikakundam <radhikakun...@apache.org>
> Atlas - Upgrade Apache Ivy to 2.5.2 due to CVE-2022-46751
> ---------------------------------------------------------
>
> Key: ATLAS-4800
> URL: https://issues.apache.org/jira/browse/ATLAS-4800
> Project: Atlas
> Issue Type: Task
> Components: atlas-core
> Reporter: Disha Talreja
> Assignee: Disha Talreja
> Priority: Major
> Attachments: ATLAS-4800.patch
>
>
> Upgrade Apache Ivy to 2.5.2 due to CVE-2022-46751
> Improper Restriction of XML External Entity Reference, XML Injection (aka
> Blind XPath Injection) vulnerability in Apache Software Foundation Apache
> Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache
> Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files
> or Apache Maven POMs - it will allow downloading external document type
> definitions and expand any entity references contained therein when used.
> This can be used to exfiltrate data, access resources only the machine
> running Ivy has access to or disturb the execution of Ivy in different ways.
> CVSSv3 Score:- 8.2(High)
> [https://nvd.nist.gov/vuln/detail/CVE-2022-46751]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
