
CVE-2018-11787
https://notcve.org/view.php?id=CVE-2018-11787
18 Sep 2018 — In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. • http://karaf.apache.org/security/cve-2018-11787.txt • CWE-287: Improper Authentication •

CVE-2016-8750 – karaf: LDAP injection in LDAPLoginModule
https://notcve.org/view.php?id=CVE-2016-8750
19 Feb 2018 — Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service. Apache Karaf en versiones anteriores a la 4.0.8 utilizaba LDAPLoginModule para autenticar a los usuarios en un directorio mediante LDAP. Sin embargo, no cifraba los nombres de usuario correctamente y, por lo tanto, era vulnerable a ataques de inyección LDAP, lo que conducía a una ... • http://www.securityfocus.com/bid/103098 • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •

CVE-2014-0219
https://notcve.org/view.php?id=CVE-2014-0219
15 Nov 2017 — Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports. Apache Karaf en versiones anteriores a la 4.0.10 habilita un puerto de apagado en la interfaz de bucle invertido, lo cual permite a los usuarios locales provocar una denegación de servicio (apagado de sistema), enviando un comando de apagado a todos los puertos altos que estén escuchando. • http://karaf.apache.org/security/cve-2014-0219.txt • CWE-20: Improper Input Validation •