CVE-2018-11787
Description
Apache Karaf webconsole Gogo shell becomes accessible without authentication when Pax Web Extender Whiteboard is installed, exposing command-line access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Karaf webconsole Gogo shell becomes accessible without authentication when Pax Web Extender Whiteboard is installed, exposing command-line access.
Vulnerability
In Apache Karaf versions prior to 3.0.9, 4.0.9, and 4.1.1 [1], the webconsole feature (installed by default) exposes the Gogo shell at /system/console/gogo requiring authentication. However, if the optional Pax Web Extender Whiteboard bundle (part of pax-war feature) is also installed, the Gogo shell becomes accessible at the unsecured URL /gogo/ [2]. This provides unauthenticated users with direct access to the Karaf command-line console [3].
Exploitation
An attacker can exploit this by simply navigating to http://:8181/gogo/ in a browser, provided the Pax Web Extender Whiteboard is installed and the webconsole feature is active [2]. No authentication or user interaction is required. The attacker gains immediate access to the Gogo shell.
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the Karaf container, leading to full compromise of the Karaf instance, including potential reading, modifying, or deleting data, and further lateral movement [1][3]. The severity is rated High (CVSS 7.5) [4].
Mitigation
The vulnerability is fixed in Apache Karaf versions 3.0.9, 4.0.9, and 4.1.1 [4]. Users should upgrade to these versions or later. As a workaround, manually stop or uninstall the Gogo plugin bundle or the Pax Web Extender Whiteboard, though this may reduce functionality [1][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.karaf:apache-karafMaven | < 3.0.9 | 3.0.9 |
org.apache.karaf:apache-karafMaven | >= 4.0.0, < 4.0.9 | 4.0.9 |
org.apache.karaf:apache-karafMaven | >= 4.1.0, < 4.1.1 | 4.1.1 |
Affected products
2- Apache Software Foundation/Apache Karafv5Range: prior to 3.0.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-cq9c-55r7-455xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11787ghsaADVISORY
- karaf.apache.org/security/cve-2018-11787.txtghsax_refsource_CONFIRMWEB
- issues.apache.org/jira/browse/KARAF-4993ghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c%40%3Cdev.karaf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c@%3Cdev.karaf.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.