- Description
- Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326
- Source
- security@apache.org
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 5.3
- Impact score
- 1.4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Primary
- Base score
- 5
- Impact score
- 2.9
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:N/A:N
- nvd@nist.gov
- CWE-22
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B465DE0D-5C3B-4D0E-8A6B-503D8E710BF9",
"versionEndExcluding": "4.2.15"
},
{
"criteria": "cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "66C13A93-7FBA-4B73-A3F1-20E204A34006",
"versionEndExcluding": "4.3.6",
"versionStartIncluding": "4.3.0"
}
],
"operator": "OR"
}
]
}
]