5 matches found
EUVD-2022-0940
Malicious code in bioql PyPI...
Server-Side Request Forgery in Karaf
In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role c...
CVE-2020-11980
In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role c...
Privilege escalation
In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role c...
CVE-2020-11980
CVE-2020-11980 affects Apache Karaf JMX where JAAS-based authentication and ACL-based authorization allow a non-admin with a viewer role to call get* via etc/jmx.acl.cfg, potentially triggering getMBeansFromURL to fetch MBeans remotely and register them, enabling SSRF-like behavior and MBean regi...