CVE-2022-22932

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-22932
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22932.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-22932
Aliases
Published
2022-01-26T11:15:09Z
Modified
2024-05-30T03:32:34.177785Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326

References

Affected packages

Git / github.com/apache/karaf

Affected ranges

Type
GIT
Repo
https://github.com/apache/karaf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

karaf-3.*

karaf-3.0.0

karaf-4.*

karaf-4.0.0
karaf-4.0.0.M1
karaf-4.0.0.M2
karaf-4.0.0.M3
karaf-4.0.1
karaf-4.0.2
karaf-4.0.3
karaf-4.0.4
karaf-4.1.0
karaf-4.1.1
karaf-4.2.0
karaf-4.2.0.M1
karaf-4.2.0.M2
karaf-4.2.1
karaf-4.2.10
karaf-4.2.11
karaf-4.2.12
karaf-4.2.13
karaf-4.2.14
karaf-4.2.2
karaf-4.2.3
karaf-4.2.4
karaf-4.2.5
karaf-4.2.6
karaf-4.2.7
karaf-4.2.8
karaf-4.2.9