CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-0226
https://notcve.org/view.php?id=CVE-2019-0226
Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later. En el servicio Apache Karaf Config proporciona un método de instalación (por medio de service o MBean) que se podría usar para viajar en cualquier directorio y sobrescribir el archivo se presentante. • https://lists.apache.org/thread.html/1baa6f1df0e95fb1cd679067117354af2ab4423277d9a0ff6e8bf790%40%3Cdev.karaf.apache.org%3E https://lists.apache.org/thread.html/r218c7e017af0a860ae21bf7ab77520fd2070c8f52db680eeec03a266%40%3Ccommits.karaf.apache.org%3E • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-0191
https://notcve.org/view.php?id=CVE-2019-0191
Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it doesn't do any validation on the paths in the zip file. This means that a malicious user could craft a .kar file with ".." directory names and break out of the directories to write arbitrary content to the filesystem. This is the "Zip-slip" vulnerability - https://snyk.io/research/zip-slip-vulnerability. • http://www.securityfocus.com/bid/107462 https://lists.apache.org/thread.html/6856aa7ed7dd805eaf65d0e5e95027dda3b2307aacd1ab4a838c5cd1%40%3Cuser.karaf.apache.org%3E https://lists.apache.org/thread.html/cef9a2d4b547625e5214684283ac5c59c9d9740e092e777dc3f85070%40%3Ccommits.karaf.apache.org%3E • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2018-11788
https://notcve.org/view.php?id=CVE-2018-11788
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases. • https://github.com/brianwrf/CVE-2018-11788 http://karaf.apache.org/security/cve-2018-11788.txt http://www.securityfocus.com/bid/106479 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11786
https://notcve.org/view.php?id=CVE-2018-11786
In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. However, this still allows anyone with ssh access to the Karaf process to read and write a large number of files as the Karaf process user. En Apache Karaf en versiones anteriores a la 4.2.0, si el servicio sshd en Karaf se deja activo para que un administrador pueda gestionar la instancia en ejecución, cualquier usuario con derechos en la consola Karaf puede pivotar y leer/escribir cualquier archivo en el sistema de archivos al que el usuario del proceso Karaf tiene acceso. Esto puede bloquearse parcialmente empleando chroot para cambiar el directorio root para proteger archivos fuera del directorio de instalación de Karaf; puede bloquearse aún más definiendo una política de gestión de seguridad que limite el acceso del sistema de archivos a esos directorios en el inicio de Karaf que son necesarios para que el sistema se ejecute. • http://karaf.apache.org/security/cve-2018-11786.txt https://issues.apache.org/jira/browse/KARAF-5427 https://lists.apache.org/thread.html/5b7ac762c6bbe77ac5d9389f093fc6dbf196c36d788e3d7629e6c1d9%40%3Cdev.karaf.apache.org%3E • CWE-269: Improper Privilege Management •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2018-11787
https://notcve.org/view.php?id=CVE-2018-11787
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. • http://karaf.apache.org/security/cve-2018-11787.txt https://issues.apache.org/jira/browse/KARAF-4993 https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c%40%3Cdev.karaf.apache.org%3E • CWE-287: Improper Authentication •