Apache Software Foundation Apache Karaf vulnerabilities

CVE-2026-24656 [LOW] CWE-502 CVE-2026-24656: Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing D

CVE-2022-40145 [CRITICAL] CWE-20 CVE-2022-40145: This vulnerable is about a potential code injection when an attacker has control of the target LDAP This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "

CVE-2021-41766 [HIGH] CWE-502 CVE-2021-41766: Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Ext Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation used by Apac

CVE-2022-22932 [MEDIUM] CWE-22 CVE-2022-22932: Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=

CVE-2018-11788 [CRITICAL] CWE-611 CVE-2018-11788: Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by drop Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external X

CVE-2018-11786 [HIGH] CWE-269 CVE-2018-11786: In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to prot

CVE-2018-11787 [HIGH] CWE-287 CVE-2018-11787: In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Ka In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../s

CVE-2016-8750 [MEDIUM] CWE-90 CVE-2016-8750: Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service.