CVE-2018-11787 – org.apache.karaf:apache-karaf

Package

Manager: maven
Name: org.apache.karaf:apache-karaf
Vulnerable Version: >=0 <3.0.9 || >=4.0.0 <4.0.9 || =4.1.0 || >=4.1.0 <4.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00697 pctl0.71043

Details

Improper Authentication in Apache Karaf In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.

Metadata

Created: 2019-01-07T19:14:51Z
Modified: 2022-09-14T22:34:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-cq9c-55r7-455x/GHSA-cq9c-55r7-455x.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-cq9c-55r7-455x
Finding: F039
Auto approve: 1