CVE-2018-11787
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.
En Apache Karaf en versiones anteriores a la 3.0.9, 4.0.9 y 4.1.1, cuando la característica webconsole está instalada en Karaf, está disponible en .../system/console y requiere autenticación para acceder a ella. Una parte de la consola es un shell/consola Gogo que otorga acceso a la consola de línea de comandos de Karaf mediante un navegador web y, cuando se navega hasta ella, está disponible en .../system/console/gogo. Intentar acceder directamente a esa URL requiere autenticación. Un paquete opcional empleado por algunas aplicaciones es Pax Web Extender Whiteboard, que forma parte de la característica pax-war y tal vez de otras. Cuando está instalada, la consola Gogo se vuelve disponible en otra URL../gogo/, y esa URL no es segura, lo que otorga acceso a la consola Karaf a usuarios no autenticados. Una mitigación a este problema es detener/desinstalar manualmente el paquete del plugin Gogo que está instalado con la funcionalidad webconsole, aunque esto elimina la consola de la aplicación en .../system/console, no solo del endpoint sin autenticar. También se podría detener/desinstalar Pax Web Extender Whiteboard, pero otros componentes/aplicaciones podrían necesitarlo y, por lo tanto, su funcionalidad se vería reducida/comprometida.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-06-05 CVE Reserved
- 2018-09-18 CVE Published
- 2023-03-07 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c%40%3Cdev.karaf.apache.org%3E | Mailing List |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://karaf.apache.org/security/cve-2018-11787.txt | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| https://issues.apache.org/jira/browse/KARAF-4993 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Karaf Search vendor "Apache" for product "Karaf" | < 3.0.9 Search vendor "Apache" for product "Karaf" and version " < 3.0.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Karaf Search vendor "Apache" for product "Karaf" | >= 4.0.0 < 4.0.9 Search vendor "Apache" for product "Karaf" and version " >= 4.0.0 < 4.0.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Karaf Search vendor "Apache" for product "Karaf" | >= 4.1.0 < 4.1.1 Search vendor "Apache" for product "Karaf" and version " >= 4.1.0 < 4.1.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Karaf Search vendor "Apache" for product "Karaf" | 4.0.0 Search vendor "Apache" for product "Karaf" and version "4.0.0" | milestone1 |
Affected
| ||||||
| Apache Search vendor "Apache" | Karaf Search vendor "Apache" for product "Karaf" | 4.0.0 Search vendor "Apache" for product "Karaf" and version "4.0.0" | milestone2 |
Affected
| ||||||
| Apache Search vendor "Apache" | Karaf Search vendor "Apache" for product "Karaf" | 4.0.0 Search vendor "Apache" for product "Karaf" and version "4.0.0" | milestone3 |
Affected
| ||||||