CVE-2019-0191
Description
Apache Karaf prior to 4.2.3 contains a zip-slip vulnerability in its kar deployer, allowing arbitrary file write via crafted .kar archives.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Karaf prior to 4.2.3 contains a zip-slip vulnerability in its kar deployer, allowing arbitrary file write via crafted .kar archives.
Vulnerability
Apache Karaf's kar deployer, in all releases prior to 4.2.3, fails to validate path traversal sequences within the repository/ and resources/ entries of .kar archive files. During extraction, the deployer writes content to the filesystem using the unvalidated path from the zip entry, enabling directory traversal with .. components [1][2].
Exploitation
An attacker with the ability to upload a malicious .kar archive to a Karaf instance (e.g., via features service or through an authenticated user triggering deployment) can craft a zip file where entry filenames contain ../ sequences. When the deployer extracts the archive, it writes files to arbitrary locations outside the intended repo and resources directories [1][2]. No additional authentication is required for the deployment action if the attacker has access to the deployer endpoint.
Impact
Successful exploitation allows an attacker to write arbitrary files to the filesystem, potentially leading to overwriting configuration files, deploying malicious artifacts, or achieving code execution depending on the writable paths. The impact is elevated if the Karaf process has broad filesystem permissions; it is considered low if the process user has restricted write capabilities [1]. The vulnerability is classified as a zip-slip attack and can compromise integrity and availability of the system [2].
Mitigation
Upgrade to Apache Karaf version 4.2.3 or later, which validates paths during .kar extraction and rejects entries with traversal components [1][2]. No workaround is documented in the available references. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.karaf:karafMaven | < 4.2.3 | 4.2.3 |
org.apache.karaf:apache-karafMaven | < 4.2.3 | 4.2.3 |
Affected products
3- ghsa-coords2 versions
< 4.2.3+ 1 more
- (no CPE)range: < 4.2.3
- (no CPE)range: < 4.2.3
- Apache/Apache Karafv5Range: Apache Karaf version prior to 4.2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-869j-5855-hjpmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0191ghsaADVISORY
- www.securityfocus.com/bid/107462ghsavdb-entryx_refsource_BIDWEB
- lists.apache.org/thread.html/6856aa7ed7dd805eaf65d0e5e95027dda3b2307aacd1ab4a838c5cd1%40%3Cuser.karaf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/6856aa7ed7dd805eaf65d0e5e95027dda3b2307aacd1ab4a838c5cd1@%3Cuser.karaf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/cef9a2d4b547625e5214684283ac5c59c9d9740e092e777dc3f85070%40%3Ccommits.karaf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/cef9a2d4b547625e5214684283ac5c59c9d9740e092e777dc3f85070@%3Ccommits.karaf.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.