Description

Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later.

Remediation

References

https://lists.apache.org/thread.html/1baa6f1df0e95fb1cd679067117354af2ab4423277d9a0ff6e8bf790%40%3Cdev.karaf.apache.org%3E

https://lists.apache.org/thread.html/r218c7e017af0a860ae21bf7ab77520fd2070c8f52db680eeec03a266%40%3Ccommits.karaf.apache.org%3E

Related Vulnerabilities

CVE-2017-16195 Vulnerability in npm package pytservce

CVE-2017-16093 Vulnerability in npm package cyber-js

CVE-2020-5410 Vulnerability in maven package org.springframework.cloud:spring-cloud-config-server

CVE-2020-8570 Vulnerability in maven package io.kubernetes:client-java

CVE-2022-48285 Vulnerability in maven package org.webjars:jszip

Severity

Medium

Classification

CWE-22 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N