8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-46751

GHSA ID

GHSA-2jc4-r94c-rp7h

EPSS Score

0.25978%

CWE

CWE-91

Published

8/21/2023

Updated

2/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-46751

CVE-2022-46751: Apache Ivy External Entity Reference vulnerability

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.

When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.

Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.

Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-46751

GHSA ID

GHSA-2jc4-r94c-rp7h

EPSS Score

0.25978%

CWE

CWE-91

Published

8/21/2023

Updated

2/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.ivy:ivy	maven	< 2.5.2	2.5.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parsing configurations. The commit patching CVE-2022-46751 introduces secure processing flags (ivy.xml.allow-doctype-processing, ivy.xml.external-resources) and modifies XMLHelper to enforce them. The vulnerable functions are those that previously created XML parsers without these restrictions. Key areas include SAXParser/DocumentBuilderFactory configurations in XMLHelper, and specific XML parsing entry points (settings files, Ivy descriptors, POM files) that used the insecure parsers. The high confidence comes from explicit security-related code changes in these functions within the provided diff.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r R*stri*tion o* XML *xt*rn*l *ntity R***r*n**, XML Inj**tion (*k* *lin* XP*t* Inj**tion) vuln*r**ility in *p**** So*tw*r* *oun**tion *p**** Ivy.T*is issu* *****ts *ny v*rsion o* *p**** Ivy prior to *.*.*. W**n *p**** Ivy prior to *.*.* p*rs*

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* *on*i*ur*tions. T** *ommit p*t**in* `*V*-****-*****` intro*u**s s**ur* pro**ssin* *l**s (`ivy.xml.*llow-*o*typ*-pro**ssin*`, `ivy.xml.*xt*rn*l-r*sour**s`) *n* mo*i*i*s `XML**lp*r` to *n*or** t**m. T**

8.2

Basic Information

Concerned about an active attack path?

CVE-2022-46751: Apache Ivy External Entity Reference vulnerability

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI