CVE-2020-11980 — Server-Side Request Forgery in Apache Karaf

CWE-918 — Server-Side Request Forgery6 documents6 sources

Severity

6.3MEDIUMNVD

EPSS

0.5%

top 33.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Karaf Apache Software Foundation Apache Karaf

Timeline

PublishedJun 12

Latest updateFeb 10

Description

In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

▶NVDapache/karaf< 4.2.9

▶CVEListV5apache_software_foundation/apache_karafApache Karaf up to 4.2.8

🔴Vulnerability Details

GHSA

Server-Side Request Forgery in Karaf↗2022-02-10

▶

OSV

Server-Side Request Forgery in Karaf↗2022-02-10

▶

CVEList

CVE-2020-11980: In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files↗2020-06-12

▶

📋Vendor Advisories

Red Hat

karaf: A remote client could create MBeans from arbitrary URLs↗2020-06-12

▶

💬Community

Bugzilla

CVE-2020-11980 karaf: A remote client could create MBeans from arbitrary URLs↗2020-06-24

▶