Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAB8EV3SjWzULpV46s_Yss1EA3-g5UpLCYNB0QzwK3OvSuo5Mug@mail.gmail.com>
Date: Tue, 25 Jan 2022 15:56:37 +0100
From: Jean-Baptiste Onofré <jbonofre@...che.org>
To: announce@...che.org, user@...af.apache.org, dev@...af.apache.org, 
	security@...che.org, oss-security@...ts.openwall.com, securitylab@...hub.com
Subject: [SECURITY] New security advisory for CVE-2022-22932

A new security advisory has been released for Apache Karaf, which was
fixed in the 4.2.15 and 4.3.6 runtime releases

CVE-2022-22932: Path traversal flaws

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: all versions of Apache Karaf prior to 4.2.15 or 4.3.6

Description:

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial
path traversal which allows to break out of expected folder.

The risk is low as obr:* commands are not very used and the entry is
set by user.

This has been fixed in revision:

https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4
https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf

Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6
or later as soon as possible, or use correct path.

JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326


Credit: This issue was discovered and reported by GHSL team member
Jaroslav Lobacevski..

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.