ghsa-544x-2jx9-4pfg
Vulnerability from github
Published
2022-01-28 22:25
Modified
2022-02-04 13:51
Severity ?
Summary
Path traversal in Apache Karaf
Details
Apache Karaf obr: commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr: commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326
{ affected: [ { package: { ecosystem: "Maven", name: "org.apache.karaf:apache-karaf", }, ranges: [ { events: [ { introduced: "4.3.0", }, { fixed: "4.3.6", }, ], type: "ECOSYSTEM", }, ], }, { package: { ecosystem: "Maven", name: "org.apache.karaf:apache-karaf", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "4.2.15", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2022-22932", ], database_specific: { cwe_ids: [ "CWE-22", ], github_reviewed: true, github_reviewed_at: "2022-01-27T23:10:36Z", nvd_published_at: "2022-01-26T11:15:00Z", severity: "MODERATE", }, details: "Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326", id: "GHSA-544x-2jx9-4pfg", modified: "2022-02-04T13:51:18Z", published: "2022-01-28T22:25:03Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-22932", }, { type: "WEB", url: "https://github.com/apache/karaf/pull/1485", }, { type: "WEB", url: "https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4", }, { type: "WEB", url: "https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf", }, { type: "PACKAGE", url: "https://github.com/apache/karaf", }, { type: "WEB", url: "https://issues.apache.org/jira/browse/KARAF-7326", }, { type: "WEB", url: "https://karaf.apache.org/security/cve-2022-22932.txt", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", type: "CVSS_V3", }, ], summary: "Path traversal in Apache Karaf", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.