CVE-2018-11787
https://notcve.org/view.php?id=CVE-2018-11787
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. • http://karaf.apache.org/security/cve-2018-11787.txt https://issues.apache.org/jira/browse/KARAF-4993 https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c%40%3Cdev.karaf.apache.org%3E • CWE-287: Improper Authentication •
CVE-2016-8750 – karaf: LDAP injection in LDAPLoginModule
https://notcve.org/view.php?id=CVE-2016-8750
Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service. Apache Karaf en versiones anteriores a la 4.0.8 utilizaba LDAPLoginModule para autenticar a los usuarios en un directorio mediante LDAP. Sin embargo, no cifraba los nombres de usuario correctamente y, por lo tanto, era vulnerable a ataques de inyección LDAP, lo que conducía a una denegación de servicio (DoS). Apache Karaf uses the LDAPLoginModule to authenticate users to a directory via LDAP. • http://www.securityfocus.com/bid/103098 https://access.redhat.com/errata/RHSA-2018:1322 https://karaf.apache.org/security/cve-2016-8750.txt https://access.redhat.com/security/cve/CVE-2016-8750 https://bugzilla.redhat.com/show_bug.cgi?id=1524432 • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •
CVE-2014-0219
https://notcve.org/view.php?id=CVE-2014-0219
Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports. Apache Karaf en versiones anteriores a la 4.0.10 habilita un puerto de apagado en la interfaz de bucle invertido, lo cual permite a los usuarios locales provocar una denegación de servicio (apagado de sistema), enviando un comando de apagado a todos los puertos altos que estén escuchando. • http://karaf.apache.org/security/cve-2014-0219.txt http://www.securityfocus.com/bid/101872 https://bugzilla.redhat.com/show_bug.cgi?id=1095974 • CWE-20: Improper Input Validation •