CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-0191
https://notcve.org/view.php?id=CVE-2019-0191
Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it doesn't do any validation on the paths in the zip file. This means that a malicious user could craft a .kar file with ".." directory names and break out of the directories to write arbitrary content to the filesystem. This is the "Zip-slip" vulnerability - https://snyk.io/research/zip-slip-vulnerability. • http://www.securityfocus.com/bid/107462 https://lists.apache.org/thread.html/6856aa7ed7dd805eaf65d0e5e95027dda3b2307aacd1ab4a838c5cd1%40%3Cuser.karaf.apache.org%3E https://lists.apache.org/thread.html/cef9a2d4b547625e5214684283ac5c59c9d9740e092e777dc3f85070%40%3Ccommits.karaf.apache.org%3E • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2018-11788
https://notcve.org/view.php?id=CVE-2018-11788
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases. • https://github.com/brianwrf/CVE-2018-11788 http://karaf.apache.org/security/cve-2018-11788.txt http://www.securityfocus.com/bid/106479 • CWE-611: Improper Restriction of XML External Entity Reference •