CVE-2022-37865: 
Java vulnerability analysis and mitigation

Apache Ivy versions 2.4.0 to 2.5.0 contain a directory traversal vulnerability (CVE-2022-37865). The vulnerability was introduced in version 2.4.0 with an optional packaging attribute that allows artifacts to be unpacked on the fly for pack200 or zip packaging. For artifacts using 'zip', 'jar' or 'war' packaging, Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive (NVD).

The vulnerability stems from improper path validation during archive extraction. When processing archives with 'zip', 'jar' or 'war' packaging, the application fails to properly verify target paths, allowing an archive to contain absolute paths or paths that attempt to traverse upwards using '..' sequences. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.1 (CRITICAL) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (NVD).

If exploited, this vulnerability allows an attacker to write files to any location on the local file system where the user executing Ivy has write access. This could potentially lead to unauthorized file creation, modification, or deletion in arbitrary locations on the system (NVD).

Users of Apache Ivy versions 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1 which contains the fix for this vulnerability. The issue has been addressed in Fedora through the release of apache-ivy-2.5.1-3.fc38 (Fedora Update).