Lucene search
Veracode Vulnerability DatabaseVERACODE:38557HistoryDec 22, 2022 - 12:55 a.m.
Remote Code Execution (RCE)
2022-12-2200:55:43
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
26
remote code execution
jndi ldap
jdbcutils.java
EPSS
0.001
Percentile
38.6%
org.apache.karaf.jaas.modules is vulnerable to remote code execution. The vulnerability exists because the doCreateDatasource function in JDBCUtils.java does not properly validate the jndiName parameter in the JNDI scheme when a configuration uses a JNDI LDAP data source URI, allowing an attacker to inject and execute malicious code.
References
github.com/advisories/GHSA-c2p4-8mvv-rwmv
github.com/apache/karaf/commit/2a933445d1ae3dd22acf17a4f720f01ea98159a3
github.com/apache/karaf/commit/3819f4834192f0f38f5ffef1ca8ea165a80eb8f0
github.com/apache/karaf/pull/1632
issues.apache.org/jira/browse/KARAF-7568
karaf.apache.org/security/cve-2022-40145.txt
Related
cve
cve
CVE-2022-40145
2022-12-21 16:15:08
prion
prion
Code injection
2022-12-21 16:15:00
github
github
Apache Karaf vulnerable to potential code injection
2022-12-21 18:30:22
nvd
nvd
CVE-2022-40145
2022-12-21 16:15:08
cvelist
cvelist
CVE-2022-40145 Apache Karaf: JDBC JAAS LDAP injection
2022-12-21 15:23:42
osv
osv
CVE-2022-40145
2022-12-21 16:15:08
Apache Karaf vulnerable to potential code injection
2022-12-21 18:30:22
redhatcve
redhatcve
CVE-2022-40145
2024-01-08 18:00:43