Path traversal flaws
Description
Apache Karaf obr:* commands and run goal have partial path traversal allowing escape from expected folder; fixed in 4.2.15 and 4.3.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Karaf obr:* commands and run goal have partial path traversal allowing escape from expected folder; fixed in 4.2.15 and 4.3.6.
Vulnerability
Apache Karaf versions prior to 4.2.15 and 4.3.6 are affected by a partial path traversal vulnerability in the obr:* commands and the run goal of the karaf-maven-plugin. The flaw allows breaking out of the expected folder due to insufficient path canonicalization [1][4].
Exploitation
An attacker must have the ability to execute obr:* commands or the run goal, and the entry path is set by the user. By providing a specially crafted path, an attacker can exploit the partial path traversal to escape the intended directory. The risk is considered low because these commands are not commonly used [4].
Impact
Successful exploitation allows an attacker to access files outside the expected folder, potentially leading to unauthorized information disclosure or file manipulation, depending on the context. The severity is rated low [1].
Mitigation
Users should upgrade to Apache Karaf 4.2.15, 4.3.6, or later. The fix is included in commits [2]. No other workarounds are available; users must ensure correct paths are used [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.karaf:apache-karafMaven | >= 4.3.0, < 4.3.6 | 4.3.6 |
org.apache.karaf:apache-karafMaven | < 4.2.15 | 4.2.15 |
Affected products
2- Apache Software Foundation/Apache Karafv5Range: Apache Karaf
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-544x-2jx9-4pfgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22932ghsaADVISORY
- gitbox.apache.org/repos/asfghsaWEB
- gitbox.apache.org/repos/asfghsaWEB
- github.com/apache/karaf/pull/1485ghsaWEB
- issues.apache.org/jira/browse/KARAF-7326ghsaWEB
- karaf.apache.org/security/cve-2022-22932.txtghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.