Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1manc0LTM5cGctdmY0Zs4AAgqM
Apache Karaf vulnerable to relative path traversal
Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later.
Permalink: https://github.com/advisories/GHSA-fjw4-39pg-vf4fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1manc0LTM5cGctdmY0Zs4AAgqM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 4.9
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-fjw4-39pg-vf4f, CVE-2019-0226
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-0226
- https://lists.apache.org/thread.html/1baa6f1df0e95fb1cd679067117354af2ab4423277d9a0ff6e8bf790@%3Cdev.karaf.apache.org%3E
- https://lists.apache.org/thread.html/r218c7e017af0a860ae21bf7ab77520fd2070c8f52db680eeec03a266@%3Ccommits.karaf.apache.org%3E
- https://github.com/apache/karaf/pull/805
- https://issues.apache.org/jira/browse/KARAF-6230
- https://github.com/advisories/GHSA-fjw4-39pg-vf4f
Blast Radius: 8.3
Affected Packages
maven:org.apache.karaf.config:org.apache.karaf.config.core
Dependent packages: 12Dependent repositories: 49
Downloads:
Affected Version Ranges: < 4.2.5
Fixed in: 4.2.5
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4
All unaffected versions: 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14, 4.2.15, 4.2.16, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6