org.apache.karaf.jaas.modules is vulnerable to remote code execution. The vulnerability exists because the doCreateDatasource
function in JDBCUtils.java
does not properly validate the jndiName
parameter in the JNDI scheme when a configuration uses a JNDI LDAP data source URI, allowing an attacker to inject and execute malicious code.
github.com/advisories/GHSA-c2p4-8mvv-rwmv
github.com/apache/karaf/commit/2a933445d1ae3dd22acf17a4f720f01ea98159a3
github.com/apache/karaf/commit/3819f4834192f0f38f5ffef1ca8ea165a80eb8f0
github.com/apache/karaf/pull/1632
issues.apache.org/jira/browse/KARAF-7568
karaf.apache.org/security/cve-2022-40145.txt