Unsecured Gogo Console in Apache Karaf Webconsole Feature
CVE-2018-11787

8.1HIGH

Key Information:

Vendor
Apache
Status
Apache Karaf
Vendor
CVE Published:
18 September 2018

Summary

In specific versions of Apache Karaf, the installation of the webconsole feature exposes the Gogo shell to the web. While direct access to the Gogo URL requires authentication, if the Pax Web Extender Whiteboard is installed, the Gogo console becomes accessible at an unsecured endpoint. This allows unauthenticated users to gain access to the Karaf command line interface, potentially compromising system security. To mitigate this vulnerability, users should consider disabling the Gogo shell or the Pax Web Extender Whiteboard, though doing so may impact the functionality of other dependent components.

Affected Version(s)

Apache Karaf prior to 3.0.9

Apache Karaf 4.0.x prior to 4.0.9

Apache Karaf 4.1.x prior to 4.1.1

References

https://issues.apache.org/jira/browse/KARAF-4993
x_refsource_CONFIRM
https://lists.apache.org/thread.html/d9ba4c3104ba32225646...
mailing-listx_refsource_MLIST
http://karaf.apache.org/security/cve-2018-11787.txt
x_refsource_CONFIRM

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.