152 matches found
Zip Slip Vulnerability
Apache Karaf is vulnerable to zip slip. The vulnerability exists because it does not validate the presence of .. in the file path before performing the extraction of files from the "repository/" and "resources/" entries in the zip file and directly writing the content to its repository and...
Apache Karaf XML External Entity Injection Vulnerability
Apache Karaf is the United States Apache Apache Software Foundation for the deployment of applications and components of a lightweight OSGi Java Dynamic Modular System container. An XML external entity injection vulnerability exists in Apache Karaf versions prior to 4.1.7 and prior to 4.2.2. An...
com.cibuddy:karaf.assembly (=1.0.0), com.kagurabi.services:kagura-assembly (>=1.5 <=1.9) +23 more potentially affected by CVE-2018-11787 via org.apache.karaf:apache-karaf (>=2.0.0 <=3.0.8)
org.apache.karaf:apache-karaf MAVEN version =2.0.0, =1.5, =1.5.6, =4.4.1, =1.1.2, =2.0.0, =2.0.6, =2.7.7, =3.0.0, =1.6.1-incubating, =1.6.1-incubating, =2.2.3, =2.0.0, =2.0.0, =2.2.11 and more Source cves: CVE-2018-11787 Source advisory: OSV:GHSA-CQ9C-55R7-455X...
GHSA-CQ9C-55R7-455X Improper Authentication in Apache Karaf
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web...
Improper Authentication in Apache Karaf
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web...
GHSA-92WJ-X78C-M4FX XML External Entity Reference in Apache Karaf
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...
XML External Entity Reference in Apache Karaf
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...
GHSA-CHJ8-5XGW-WCVJ Moderate severity vulnerability that affects org.apache.karaf:apache-karaf
Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service...
Moderate severity vulnerability that affects org.apache.karaf:apache-karaf
Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service...
CVE-2018-11788
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...
Design/Logic Flaw
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...
CVE-2018-11788
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...
CVE-2018-11788
Apache Karaf contains an XXE vulnerability in its XMLInputFactory used by the features deployer. The XMLInputFactory does not implement mitigation against external entities, enabling potential XML External Entity Injection in Karaf versions prior to 4.1.7 and prior to 4.2.2. First fixed in Karaf ...
CVE-2018-11788
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...
CVE-2018-11788
A flaw was found in the Apache Karaf XMLInputFactory, where it does not prevent External Entity Processing XXE. This is a potential security risk as an attacker could inject external XML entities to access sensitive information or conduct further attacks...
ch.sourcepond.commons:smartswitch-tests (>=2.0.0 <=4.0.2), ch.sourcepond.io:checksum-tests (>=1.0.3 <=4.0.3) +39 more potentially affected by CVE-2018-11786 via org.apache.karaf:apache-karaf (>=2.0.0 <=4.1.6)
org.apache.karaf:apache-karaf MAVEN version =2.0.0, =2.0.0, =1.0.3, =1.0.0, =1.0.0, =1.5, =1.5.6, =4.4.1, =1.1.2, =1.0.0, =2.0.0, =2.0.6, =4.1.5.hyte-4005, =4.1.6.hyte-4006 and more Source cves: CVE-2018-11786 Source advisory: OSV:GHSA-9448-C9WQ-JG9V...
GHSA-9448-C9WQ-JG9V Improper Privilege Management in Apache Karaf
In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a...
Improper Privilege Management in Apache Karaf
In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a...
Unspecified Vulnerability in Apache Karaf
Apache Karaf is the United States Apache Apache Software Foundation for the deployment of applications and components of a lightweight OSGi Java Dynamic Modular System container. A security vulnerability exists in Apache Karaf versions prior to 3.0.9, prior to 4.0.9, and prior to 4.1.1. No detail...
CVE-2018-11787
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web...