Maven package
org.apache.karaf/apache-karaf
pkg:maven/org.apache.karaf/apache-karaf
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-40145 | — | < 4.3.8 | 4.3.8 | Dec 21, 2022 | This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) wit | ||
| CVE-2022-22932 | — | >= 4.3.0, < 4.3.6 | 4.3.6 | Jan 26, 2022 | Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.or | ||
| CVE-2019-0191 | — | < 4.2.3 | 4.2.3 | Mar 20, 2019 | Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it doesn't do any validation on the paths in t | ||
| CVE-2018-11787 | — | < 3.0.9 | 3.0.9 | Sep 18, 2018 | In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console o | ||
| CVE-2018-11786 | — | < 4.2.0 | 4.2.0 | Sep 18, 2018 | In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can | ||
| CVE-2016-8750 | — | < 4.0.8 | 4.0.8 | Feb 19, 2018 | Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service. | ||
| CVE-2014-0219 | Med | 5.5 | < 4.0.10 | 4.0.10 | Nov 15, 2017 | Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports. |
- CVE-2022-40145Dec 21, 2022affected < 4.3.8fixed 4.3.8
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) wit
- CVE-2022-22932Jan 26, 2022affected >= 4.3.0, < 4.3.6fixed 4.3.6
Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.or
- CVE-2019-0191Mar 20, 2019affected < 4.2.3fixed 4.2.3
Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it doesn't do any validation on the paths in t
- CVE-2018-11787Sep 18, 2018affected < 3.0.9fixed 3.0.9
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console o
- CVE-2018-11786Sep 18, 2018affected < 4.2.0fixed 4.2.0
In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can
- CVE-2016-8750Feb 19, 2018affected < 4.0.8fixed 4.0.8
Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service.
- affected < 4.0.10fixed 4.0.10
Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.