CVE-2016-8750

CWE-907 documents6 sources

Severity

6.5MEDIUM

EPSS

1.5%

top 18.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Karaf Apache Software Foundation Apache Karaf

Timeline

PublishedFeb 19

Latest updateJan 7

Description

Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/karaf< 4.0.8

▶Mavenorg.apache.karaf:apache-karaf< 4.0.8

▶CVEListV5apache_software_foundation/apache_karafprior to 4.0.8

Patches

Patch: karaf.apache.org ↗Patch: karaf.apache.org ↗

🔴Vulnerability Details

GHSA

Moderate severity vulnerability that affects org.apache.karaf:apache-karaf↗2019-01-07

▶

OSV

Moderate severity vulnerability that affects org.apache.karaf:apache-karaf↗2019-01-07

▶

CVEList

CVE-2016-8750: Apache Karaf prior to 4↗2018-02-19

▶

📋Vendor Advisories

Red Hat

karaf: LDAP injection in LDAPLoginModule↗2016-12-12

▶

💬Community

Bugzilla

CVE-2016-8750 karaf: LDAP injection in LDAPLoginModule↗2017-12-11

▶

Bugzilla

CVE-2015-8750 libdwarf: NULL pointer dereference in dwarf_utils.c↗2016-01-08

▶