-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Severity: moderate
Affected versions: - - Apache Ivy (org.apache.ivy:ivy) 2.0.0 through 2.5.3 Description: The PackagerResolver of Apache Ivy is able to download online artifacts and to (re)package them in a format defined by a packager.xml file. This repackaging is done by an Ant script, which is stored in a subdirectory of the configured "buildRoot" directory. This subdirectory is calculated based on modules coordinates, like the organisation, name or version. If one of the coordinates contains "../" sequences - which are valid characters for Ivy coordinates in general- it is possible to break out of the configured "buildRoot" directory where other files can be overwritten. In order to exploit this vulnerability an attacker needs to have access to a packager repository and add or modify the coordinates in ivy.xml files to have such "../" sequences. Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0. Credit: yudeshui of dhgate security (reporter) References: https://ant.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-26032 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAmpXpS8ACgkQohFa4V9ri3JQFACgkYdLNGscRGApm1yspRbJv/pW OB0AnRkTutFUTEiLRgV3Z6iS7/HTCK9C =bsQ3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
