Lucene search
+L

152 matches found

Veracode
Veracode
added 2019/03/08 5:41 a.m.21 views

Zip Slip Vulnerability

Apache Karaf is vulnerable to zip slip. The vulnerability exists because it does not validate the presence of .. in the file path before performing the extraction of files from the "repository/" and "resources/" entries in the zip file and directly writing the content to its repository and...

6.5CVSS6.3AI score0.04858EPSS
Exploits0References6Affected Software1
CNVD
CNVD
added 2019/01/08 12:0 a.m.5 views

Apache Karaf XML External Entity Injection Vulnerability

Apache Karaf is the United States Apache Apache Software Foundation for the deployment of applications and components of a lightweight OSGi Java Dynamic Modular System container. An XML external entity injection vulnerability exists in Apache Karaf versions prior to 4.1.7 and prior to 4.2.2. An...

9.8CVSS7.2AI score0.0748EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2019/01/07 7:14 p.m.5 views

com.cibuddy:karaf.assembly (=1.0.0), com.kagurabi.services:kagura-assembly (>=1.5 <=1.9) +23 more potentially affected by CVE-2018-11787 via org.apache.karaf:apache-karaf (>=2.0.0 <=3.0.8)

org.apache.karaf:apache-karaf MAVEN version =2.0.0, =1.5, =1.5.6, =4.4.1, =1.1.2, =2.0.0, =2.0.6, =2.7.7, =3.0.0, =1.6.1-incubating, =1.6.1-incubating, =2.2.3, =2.0.0, =2.0.0, =2.2.11 and more Source cves: CVE-2018-11787 Source advisory: OSV:GHSA-CQ9C-55R7-455X...

8.1CVSS7.2AI score0.02573EPSS
Exploits0
OSV
OSV
added 2019/01/07 7:14 p.m.4 views

GHSA-CQ9C-55R7-455X Improper Authentication in Apache Karaf

In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web...

8.1CVSS7.1AI score0.02573EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2019/01/07 7:14 p.m.42 views

Improper Authentication in Apache Karaf

In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web...

8.1CVSS3.2AI score0.02573EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2019/01/07 7:14 p.m.2 views

GHSA-92WJ-X78C-M4FX XML External Entity Reference in Apache Karaf

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...

9.8CVSS7AI score0.0748EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2019/01/07 7:14 p.m.40 views

XML External Entity Reference in Apache Karaf

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...

9.8CVSS3.1AI score0.0748EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2019/01/07 7:14 p.m.4 views

GHSA-CHJ8-5XGW-WCVJ Moderate severity vulnerability that affects org.apache.karaf:apache-karaf

Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service...

6.5CVSS6.8AI score0.05277EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2019/01/07 7:14 p.m.38 views

Moderate severity vulnerability that affects org.apache.karaf:apache-karaf

Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service...

6.5CVSS4.8AI score0.05277EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2019/01/07 4:29 p.m.39 views

CVE-2018-11788

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...

9.8CVSS9.4AI score0.0748EPSS
Exploits0References2
Prion
Prion
added 2019/01/07 4:29 p.m.22 views

Design/Logic Flaw

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...

7.5CVSS9.4AI score0.0748EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2019/01/07 4:29 p.m.34 views

CVE-2018-11788

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...

9.8CVSS9.4AI score0.0748EPSS
Exploits0References2
CVE
CVE
added 2019/01/07 4:0 p.m.103 views

CVE-2018-11788

Apache Karaf contains an XXE vulnerability in its XMLInputFactory used by the features deployer. The XMLInputFactory does not implement mitigation against external entities, enabling potential XML External Entity Injection in Karaf versions prior to 4.1.7 and prior to 4.2.2. First fixed in Karaf ...

9.8CVSS9.3AI score0.0748EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2019/01/07 4:0 p.m.43 views

CVE-2018-11788

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a...

9.5AI score0.0748EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2019/01/07 9:19 a.m.28 views

CVE-2018-11788

A flaw was found in the Apache Karaf XMLInputFactory, where it does not prevent External Entity Processing XXE. This is a potential security risk as an attacker could inject external XML entities to access sensitive information or conduct further attacks...

9.8CVSS3.5AI score0.0748EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2018/12/21 5:49 p.m.6 views

ch.sourcepond.commons:smartswitch-tests (>=2.0.0 <=4.0.2), ch.sourcepond.io:checksum-tests (>=1.0.3 <=4.0.3) +39 more potentially affected by CVE-2018-11786 via org.apache.karaf:apache-karaf (>=2.0.0 <=4.1.6)

org.apache.karaf:apache-karaf MAVEN version =2.0.0, =2.0.0, =1.0.3, =1.0.0, =1.0.0, =1.5, =1.5.6, =4.4.1, =1.1.2, =1.0.0, =2.0.0, =2.0.6, =4.1.5.hyte-4005, =4.1.6.hyte-4006 and more Source cves: CVE-2018-11786 Source advisory: OSV:GHSA-9448-C9WQ-JG9V...

9CVSS7.2AI score0.01904EPSS
Exploits0
OSV
OSV
added 2018/12/21 5:49 p.m.19 views

GHSA-9448-C9WQ-JG9V Improper Privilege Management in Apache Karaf

In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a...

8.8CVSS8.6AI score0.01904EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2018/12/21 5:49 p.m.28 views

Improper Privilege Management in Apache Karaf

In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a...

9CVSS1.5AI score0.01904EPSS
Exploits0References5Affected Software1
CNVD
CNVD
added 2018/09/20 12:0 a.m.5 views

Unspecified Vulnerability in Apache Karaf

Apache Karaf is the United States Apache Apache Software Foundation for the deployment of applications and components of a lightweight OSGi Java Dynamic Modular System container. A security vulnerability exists in Apache Karaf versions prior to 3.0.9, prior to 4.0.9, and prior to 4.1.1. No detail...

8.1CVSS8.1AI score0.02573EPSS
Exploits0References1
NVD
NVD
added 2018/09/18 2:29 p.m.48 views

CVE-2018-11787

In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web...

8.1CVSS8.1AI score0.02573EPSS
Exploits0References3
Rows per page
Query Builder