CVE-2022-22932

Summary

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache KarafApache Karaf < 4.2.15affected

Weaknesses

  • Path traversal flaws

Workarounds

Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path.

ADP Enrichment

CVE Program Container

Additional References

References