Path traversal flaws
CVE-2022-22932

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Karaf
Vendor: CVE Published:; 26 January 2022

Summary

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326

Affected Version(s)

Apache Karaf Apache Karaf < 4.2.15

References

https://karaf.apache.org/security/cve-2022-22932.txt

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 26, 2022
Vulnerability Reserved
Jan 10, 2022

Credit

This issue was discovered and reported by GHSL team member Jaroslav Lobacevski