CVE-2019-0226 – org.apache.karaf.config:org.apache.karaf.config.core

Package

Manager: maven
Name: org.apache.karaf.config:org.apache.karaf.config.core
Vulnerable Version: >=0 <4.2.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01615 pctl0.81095

Details

Apache Karaf vulnerable to relative path traversal Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later.

Metadata

Created: 2022-05-24T16:45:24Z
Modified: 2022-11-07T20:28:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjw4-39pg-vf4f/GHSA-fjw4-39pg-vf4f.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-fjw4-39pg-vf4f
Finding: F063
Auto approve: 1