CVE-2022-22932

Path traversal flaws

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326

Los comandos de Apache Karaf obr:* y el objetivo de ejecución en el karaf-maven-plugin tienen un salto de ruta parcial que permite salirse de la carpeta esperada. El riesgo es bajo ya que los comandos obr:* no son muy usados y la entrada es establecida por el usuario. Esto ha sido corregido en la revisión: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigación: Los usuarios de Apache Karaf deben actualizar a versiones 4.2.15 o 4.3.6 o posteriores lo antes posible, o usar la ruta correcta. Entradas de JIRA: https://issues.apache.org/jira/browse/KARAF-7326

A flaw was found in the Apache Karaf obr:* command, where a partial path traversal issue allows a break out of the expected folder. This entry is set by the user.

This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include HTTP request smuggling, bypass, code execution, denial of service, deserialization, information leakage, memory leak, privilege escalation, and traversal vulnerabilities.

*Credits: This issue was discovered and reported by GHSL team member Jaroslav Lobacevski

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-10 CVE Reserved
2022-01-26 CVE Published
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://karaf.apache.org/security/cve-2022-22932.txt	2022-02-03
https://access.redhat.com/security/cve/CVE-2022-22932	2022-07-07
https://bugzilla.redhat.com/show_bug.cgi?id=2046279	2022-07-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Karaf Search vendor "Apache" for product "Karaf"				< 4.2.15 Search vendor "Apache" for product "Karaf" and version " < 4.2.15"		-		Affected
Apache Search vendor "Apache"		Karaf Search vendor "Apache" for product "Karaf"				>= 4.3.0 < 4.3.6 Search vendor "Apache" for product "Karaf" and version " >= 4.3.0 < 4.3.6"		-		Affected