-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Severity: moderate 

Affected versions:

- - Apache Ivy (org.apache.ivy:ivy) 2.0.0 through 2.5.3

Description:

The PackagerResolver of Apache Ivy is able to download online
artifacts and to (re)package them in a format defined by a
packager.xml file. This repackaging is done by an Ant script, which is
stored in a subdirectory of the configured "buildRoot" directory. This
subdirectory is calculated based on modules coordinates, like the
organisation, name or version.

If one of the coordinates contains "../" sequences - which are valid
characters for Ivy coordinates in general- it is possible to break out
of the configured "buildRoot" directory where other files can be
overwritten.

In order to exploit this vulnerability an attacker needs to have
access to a packager repository and add or modify the coordinates in
ivy.xml files to have such "../" sequences.

Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0.

Credit:

yudeshui of dhgate security (reporter)

References:

https://ant.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-26032

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAmpXpS8ACgkQohFa4V9ri3JQFACgkYdLNGscRGApm1yspRbJv/pW
OB0AnRkTutFUTEiLRgV3Z6iS7/HTCK9C
=bsQ3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to