CVE-2019-0226Path Traversal in Apache Karaf

CWE-22Path Traversal4 documents4 sources
Severity
4.9MEDIUMNVD
EPSS
1.6%
top 18.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Karaf
Timeline
PublishedMay 9
Latest updateMay 24

Description

Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

NVDapache/karaf< 4.2.5
CVEListV5apache/karafprior to 4.2.5

🔴Vulnerability Details

3
GHSA
Apache Karaf vulnerable to relative path traversal2022-05-24
OSV
Apache Karaf vulnerable to relative path traversal2022-05-24
CVEList
CVE-2019-0226: Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file2019-05-09
CVE-2019-0226 — Path Traversal in Apache Karaf | cvebase