CVE-2022-46751 – Apache Ivy versions before 2.5.2 have an XML Ex... (How to Fix)

Q: What is the severity of CVE-2022-46751?

CVE-2022-46751 has a CVSS score of 8.2 (HIGH). Apache Ivy versions before 2.5.2 have an XML External Entity (XXE) vulnerability that allows attackers to read arbitrary files, access internal resources, or disrupt Ivy's execution when parsing XML files. This affects any system using vulnerable Apache Ivy versions for dependency management. The vulnerability occurs during XML parsing of Ivy configuration files, Ivy files, or Maven POMs.

📋 TL;DR

Apache Ivy versions before 2.5.2 have an XML External Entity (XXE) vulnerability that allows attackers to read arbitrary files, access internal resources, or disrupt Ivy's execution when parsing XML files. This affects any system using vulnerable Apache Ivy versions for dependency management. The vulnerability occurs during XML parsing of Ivy configuration files, Ivy files, or Maven POMs.

💻 Affected Systems

Products:

Apache Ivy

Versions: All versions prior to 2.5.2

Operating Systems: All operating systems running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when parsing any XML files including Ivy configuration, Ivy files, or Maven POMs. Java system properties can mitigate but are not default.

📦 What is this software?

Ivy by Apache

View all CVEs affecting Ivy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through file exfiltration, internal network resource access, and potential remote code execution via malicious DTDs.

🟠

Likely Case

Data exfiltration from the server running Ivy, including sensitive configuration files, credentials, or internal network information.

🟢

If Mitigated

Limited impact with proper network segmentation and restricted file system permissions, though XML parsing errors may still occur.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood attack vectors with many existing exploitation techniques. The vulnerability requires XML parsing to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.2

Vendor Advisory: https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8

Restart Required: Yes

Instructions:

1. Upgrade Apache Ivy to version 2.5.2 or later. 2. Update build scripts and dependencies to use the new version. 3. Restart any services using Ivy. 4. Verify DTD processing is disabled in your configuration.

🔧 Temporary Workarounds

Java System Property Configuration

all

Set JAXP properties to restrict external DTD processing as described in Oracle's JAXP Security Guide

-Djavax.xml.accessExternalDTD=all
-Djavax.xml.accessExternalSchema=all
-Djavax.xml.accessExternalStylesheet=all

🧯 If You Can't Patch

Implement strict network segmentation to isolate Ivy servers from sensitive internal resources
Apply strict file system permissions to limit what files Ivy can access on the server

🔍 How to Verify

Check if Vulnerable:

Check Ivy version with: ivy -version or examine build configuration files for Ivy dependency version

Check Version:

ivy -version

Verify Fix Applied:

Confirm version is 2.5.2 or higher and verify DTD processing is disabled in logs during XML parsing

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
Unexpected external network connections during XML processing
File access patterns from Ivy process

Network Indicators:

Outbound connections to unexpected external DTD URLs
Data exfiltration patterns from XML parsing operations

SIEM Query:

process_name:"java" AND (process_args:"ivy" OR process_args:"org.apache.ivy") AND (network_outbound:* AND NOT network_outbound:expected_repositories*)

📊 Metadata

CVE ID: CVE-2022-46751

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

CWE: CWE-91

Published: August 21, 2023

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2023/09/06/9
https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477 Third Party Advisory
https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d Vendor Advisory
https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8 Mailing List,Vendor Advisory
https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/09/06/9
https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477 Third Party Advisory
https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d Vendor Advisory
https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8 Mailing List,Vendor Advisory
https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-46751, you might also want to check these: