Apache Karaf vulnerabilities

CVE-2022-40145 [CRITICAL] CWE-20 CVE-2022-40145: This vulnerable is about a potential code injection when an attacker has control of the target LDAP This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "

CVE-2021-41766 [HIGH] CWE-502 CVE-2021-41766: Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Ext Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation used by Apac

CVE-2022-22932 [MEDIUM] CWE-22 CVE-2022-22932: Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=

CVE-2020-28052 [HIGH] CVE-2020-28052: An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.chec An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

CVE-2020-11980 [MEDIUM] CWE-918 CVE-2020-11980: In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. B In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewe

CVE-2019-0226 [MEDIUM] CWE-22 CVE-2019-0226: Apache Karaf Config service provides a install method (via service or MBean) that could be used to t Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later.

CVE-2019-0191 [MEDIUM] CWE-22 CVE-2019-0191: Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "res Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it doesn't do any validation on the paths in the zip file. This means that a malicious user could craft a .kar file with

CVE-2018-11788 [CRITICAL] CWE-611 CVE-2018-11788: Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by drop Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external X

CVE-2018-11787 [HIGH] CWE-287 CVE-2018-11787: In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Ka In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../s

CVE-2018-11786 [HIGH] CWE-269 CVE-2018-11786: In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to prot

CVE-2016-8750 [MEDIUM] CWE-90 CVE-2016-8750: Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service.

CVE-2014-0219 [MEDIUM] CWE-20 CVE-2014-0219: Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local use Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.