CVE-2022-37866 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-37866 Interim 1 18 2026-03-05T04:38:35Z current 2022-11-08T00:41:19Z 2026-03-05T04:38:35Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-37866 When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characters for Ivy coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or repository or can overwrite different artifacts inside of the local cache. In order to exploit this vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests containing ".." sequences and a "normal" repository will not interpret them as part of the artifact coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2023-March/014085.html E-Mail link for SUSE-CU-2023:712-1 https://lists.suse.com/pipermail/sle-security-updates/2023-March/014086.html E-Mail link for SUSE-CU-2023:713-1 https://lists.suse.com/pipermail/sle-updates/2023-March/028253.html E-Mail link for SUSE-CU-2023:714-1 https://lists.suse.com/pipermail/sle-updates/2023-March/028254.html E-Mail link for SUSE-CU-2023:715-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Enterprise Storage 7 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP4 openSUSE Leap 15.4 openSUSE Tumbleweed apache-ivy-2.5.1-1.1 apache-ivy-2.5.1-150200.3.6.3 apache-ivy-2.5.3-160000.2.2 apache-ivy-javadoc-2.5.1-1.1 apache-ivy-javadoc-2.5.1-150200.3.6.3 apache-ivy-javadoc-2.5.3-160000.2.2 ivy-local-5.3.0-150200.3.4.4 javapackages-ivy-5.3.1-150200.3.4.4 xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 xmvn-connector-ivy-javadoc-4.0.0~20220302.6a60be3-150200.2.17.3 apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Enterprise Storage 7 ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Enterprise Storage 7 javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Enterprise Storage 7 xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Enterprise Storage 7 apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Enterprise Storage 7.1 ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Enterprise Storage 7.1 javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Enterprise Storage 7.1 xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Enterprise Storage 7.1 apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP7 ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP7 javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP7 xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP7 apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise Real Time 15 SP3 ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise Real Time 15 SP3 javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise Real Time 15 SP3 xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise Real Time 15 SP3 apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache-ivy-2.5.3-160000.2.2 as a component of SUSE Linux Enterprise Server 16.0 apache-ivy-javadoc-2.5.3-160000.2.2 as a component of SUSE Linux Enterprise Server 16.0 apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache-ivy-2.5.1-150200.3.6.3 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 ivy-local-5.3.0-150200.3.4.4 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 javapackages-ivy-5.3.1-150200.3.4.4 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache-ivy-2.5.1-150200.3.6.3 as a component of openSUSE Leap 15.4 apache-ivy-javadoc-2.5.1-150200.3.6.3 as a component of openSUSE Leap 15.4 ivy-local-5.3.0-150200.3.4.4 as a component of openSUSE Leap 15.4 javapackages-ivy-5.3.1-150200.3.4.4 as a component of openSUSE Leap 15.4 xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of openSUSE Leap 15.4 xmvn-connector-ivy-javadoc-4.0.0~20220302.6a60be3-150200.2.17.3 as a component of openSUSE Leap 15.4 apache-ivy-2.5.1-1.1 as a component of openSUSE Tumbleweed apache-ivy-javadoc-2.5.1-1.1 as a component of openSUSE Tumbleweed When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characters for Ivy coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or repository or can overwrite different artifacts inside of the local cache. In order to exploit this vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests containing ".." sequences and a "normal" repository will not interpret them as part of the artifact coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1. CVE-2022-37866 SUSE Enterprise Storage 7:apache-ivy-2.5.1-150200.3.6.3 SUSE Enterprise Storage 7:ivy-local-5.3.0-150200.3.4.4 SUSE Enterprise Storage 7:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Enterprise Storage 7:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Enterprise Storage 7.1:apache-ivy-2.5.1-150200.3.6.3 SUSE Enterprise Storage 7.1:ivy-local-5.3.0-150200.3.4.4 SUSE Enterprise Storage 7.1:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Enterprise Storage 7.1:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Module for Development Tools 15 SP4:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise Module for Development Tools 15 SP4:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise Module for Development Tools 15 SP4:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise Module for Development Tools 15 SP4:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Module for Development Tools 15 SP5:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise Module for Development Tools 15 SP5:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise Module for Development Tools 15 SP5:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise Module for Development Tools 15 SP5:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Module for Development Tools 15 SP6:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise Module for Development Tools 15 SP6:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise Module for Development Tools 15 SP6:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise Module for Development Tools 15 SP6:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Module for Development Tools 15 SP7:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise Module for Development Tools 15 SP7:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise Module for Development Tools 15 SP7:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise Module for Development Tools 15 SP7:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:apache-ivy-javadoc-2.5.1-150200.3.6.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:xmvn-connector-ivy-javadoc-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP6:apache-ivy-javadoc-2.5.1-150200.3.6.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP6:xmvn-connector-ivy-javadoc-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP7:apache-ivy-javadoc-2.5.1-150200.3.6.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP7:xmvn-connector-ivy-javadoc-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Real Time 15 SP3:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise Real Time 15 SP3:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise Real Time 15 SP3:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise Real Time 15 SP3:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Server 15 SP2-LTSS:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise Server 15 SP2-LTSS:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise Server 15 SP2-LTSS:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise Server 15 SP2-LTSS:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Server 15 SP3-LTSS:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise Server 15 SP3-LTSS:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise Server 15 SP3-LTSS:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise Server 15 SP3-LTSS:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Server 16.0:apache-ivy-2.5.3-160000.2.2 SUSE Linux Enterprise Server 16.0:apache-ivy-javadoc-2.5.3-160000.2.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise Server for SAP Applications 15 SP2:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise Server for SAP Applications 15 SP2:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-ivy-2.5.1-150200.3.6.3 SUSE Linux Enterprise Server for SAP Applications 15 SP3:ivy-local-5.3.0-150200.3.4.4 SUSE Linux Enterprise Server for SAP Applications 15 SP3:javapackages-ivy-5.3.1-150200.3.4.4 SUSE Linux Enterprise Server for SAP Applications 15 SP3:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 openSUSE Leap 15.4:apache-ivy-2.5.1-150200.3.6.3 openSUSE Leap 15.4:apache-ivy-javadoc-2.5.1-150200.3.6.3 openSUSE Leap 15.4:ivy-local-5.3.0-150200.3.4.4 openSUSE Leap 15.4:javapackages-ivy-5.3.1-150200.3.4.4 openSUSE Leap 15.4:xmvn-connector-ivy-4.0.0~20220302.6a60be3-150200.2.17.3 openSUSE Leap 15.4:xmvn-connector-ivy-javadoc-4.0.0~20220302.6a60be3-150200.2.17.3 openSUSE Tumbleweed:apache-ivy-2.5.1-1.1 openSUSE Tumbleweed:apache-ivy-javadoc-2.5.1-1.1 moderate 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H