Apache Karaf
12 CVEs affecting Apache Karaf. Latest disclosed: 2022-12-21. Critical: 2, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-40145 | Critical | 9.8 | 2022-12-21 | This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modul… |
CVE-2018-11788 | Critical | 9.8 | 2019-01-07 | Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features X… |
CVE-2018-11786 | High | 8.8 | 2018-09-18 | In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to th… |
CVE-2021-41766 | High | 8.1 | 2022-01-26 | Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that reli… |
CVE-2020-28052 | High | 8.1 | 2020-12-18 | An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when check… |
CVE-2018-11787 | High | 8.1 | 2018-09-18 | In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires aut… |
CVE-2019-0191 | Medium | 6.5 | 2019-03-21 | Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the co… |
CVE-2016-8750 | Medium | 6.5 | 2018-02-19 | Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence w… |
CVE-2020-11980 | Medium | 6.3 | 2020-06-12 | In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean… |
CVE-2014-0219 | Medium | 5.5 | 2017-11-15 | Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shu… |
CVE-2022-22932 | Medium | 5.3 | 2022-01-26 | Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as… |
CVE-2019-0226 | Medium | 4.9 | 2019-05-09 | Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vul… |