CVE-2019-0226

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2019-0226
Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later.

4.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.5 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:P

Exploitability : 8.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://lists.apache.org/thread.html/1baa6f1df0e95fb1cd679067117354af2ab4423277d9a0ff6e8bf790%40%3Cdev.karaf.apache.org%3E
https://lists.apache.org/thread.html/r218c7e017af0a860ae21bf7ab77520fd2070c8f52db680eeec03a266%40%3Ccommits.karaf.apache.org%3E
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*
History

07 Nov 2023, 03:01

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/r218c7e017af0a860ae21bf7ab77520fd2070c8f52db680eeec03a266@%3Ccommits.karaf.apache.org%3E', 'name': '[karaf-commits] 20200612 [karaf-site] branch trunk updated: Publish CVE-2020-11980', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/1baa6f1df0e95fb1cd679067117354af2ab4423277d9a0ff6e8bf790@%3Cdev.karaf.apache.org%3E', 'name': '[karaf-dev] 20190506 [SECURITY] New security advisory for CVE-2019-0226 released for Apache Karaf', 'tags': ['Mailing List', 'Mitigation', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • () https://lists.apache.org/thread.html/1baa6f1df0e95fb1cd679067117354af2ab4423277d9a0ff6e8bf790%40%3Cdev.karaf.apache.org%3E -
  • () https://lists.apache.org/thread.html/r218c7e017af0a860ae21bf7ab77520fd2070c8f52db680eeec03a266%40%3Ccommits.karaf.apache.org%3E -
Information

Published : 2019-05-09 14:29

Updated : 2023-12-10 12:59

NVD link : CVE-2019-0226

Mitre link : CVE-2019-0226

CVE.ORG link : CVE-2019-0226

JSON object : View

Products Affected

apache

  • karaf
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')