EPSS
Percentile
70.2%
Apache Karaf is vulnerable to deserialization of untrusted data. The vulnerability exists in doStart function of Activator.java because the credentials are not being filtered which allows an attacker to send malicious inputs.
doStart
Activator.java
github.com/advisories/GHSA-jh5g-9m4v-9vv9
github.com/apache/karaf/commit/93a019c.patch
github.com/apache/karaf/commit/b42c82ca3b9a22bd92d249a1060a1953f4188bc2
github.com/apache/karaf/pull/1475
issues.apache.org/jira/browse/KARAF-7312
karaf.apache.org/security/cve-2021-41766.txt