CVE-2020-11980

karaf: A remote client could create MBeans from arbitrary URLs

Severity Score

6.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as "viewer" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a "viewer" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer.

En Karaf, la autenticación JMX se lleva a cabo usando JAAS y la autorización utilizando archivos de ACL. Por defecto, solo un "admin" puede invocar actualmente en un MBean. Sin embargo, se presenta una vulnerabilidad para alguien que no es administrador, pero que tiene un rol de "viewer". En "etc/jmx.acl.cfg", como el role puede llamar a get*. Es posible autenticarse como un rol viewer + invocar en el método MLet getMBeansFromURL, que se envía hacia un servidor remoto para obtener el MBean deseado, que luego se registra en Karaf. En este punto, se presenta un fallo en el ataque ya que el "viewer" no tiene permiso para invocar en el MBean. Aún así, podría actuar como un ataque de estilo SSRF y también esencialmente permite que un rol de "viewer" contamine el registro MBean, que es un tipo de escalada de privilegios. La vulnerabilidad es baja ya que es posible agregar una ACL para limitar el acceso. Los usuarios deben actualizar a Apache Karaf versiones 4.2.9 o mas recientes

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-04-21 CVE Reserved
2020-06-12 CVE Published
2023-05-05 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://karaf.apache.org/security/cve-2020-11980.txt	2021-01-07
https://access.redhat.com/security/cve/CVE-2020-11980	2020-12-16
https://bugzilla.redhat.com/show_bug.cgi?id=1850450	2020-12-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Karaf Search vendor "Apache" for product "Karaf"				< 4.2.9 Search vendor "Apache" for product "Karaf" and version " < 4.2.9"		-		Affected