{"containers": {"cna": {"affected": [{"product": "Apache Karaf", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "prior to 3.0.9"}, {"status": "affected", "version": "4.0.x prior to 4.0.9"}, {"status": "affected", "version": "4.1.x prior to 4.1.1"}]}], "datePublic": "2018-09-18T00:00:00", "descriptions": [{"lang": "en", "value": "In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised."}], "problemTypes": [{"descriptions": [{"description": "Unsecure Access", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-09-18T13:57:02", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://issues.apache.org/jira/browse/KARAF-4993"}, {"name": "[karaf-dev] 20180918 [SECURITY] New security advisory for CVE-2018-11787 released for Apache Karaf", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c%40%3Cdev.karaf.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://karaf.apache.org/security/cve-2018-11787.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-09-18T00:00:00", "ID": "CVE-2018-11787", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Karaf", "version": {"version_data": [{"version_value": "prior to 3.0.9"}, {"version_value": "4.0.x prior to 4.0.9"}, {"version_value": "4.1.x prior to 4.1.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Unsecure Access"}]}]}, "references": {"reference_data": [{"name": "https://issues.apache.org/jira/browse/KARAF-4993", "refsource": "CONFIRM", "url": "https://issues.apache.org/jira/browse/KARAF-4993"}, {"name": "[karaf-dev] 20180918 [SECURITY] New security advisory for CVE-2018-11787 released for Apache Karaf", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c@%3Cdev.karaf.apache.org%3E"}, {"name": "http://karaf.apache.org/security/cve-2018-11787.txt", "refsource": "CONFIRM", "url": "http://karaf.apache.org/security/cve-2018-11787.txt"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T08:17:09.210Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.apache.org/jira/browse/KARAF-4993"}, {"name": "[karaf-dev] 20180918 [SECURITY] New security advisory for CVE-2018-11787 released for Apache Karaf", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c%40%3Cdev.karaf.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://karaf.apache.org/security/cve-2018-11787.txt"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-11787", "datePublished": "2018-09-18T14:00:00Z", "dateReserved": "2018-06-05T00:00:00", "dateUpdated": "2024-09-17T02:16:58.807Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*", "matchCriteriaId": "82165825-B96D-467A-A9D1-76F01443D630", "versionEndExcluding": "3.0.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D4A4EB9-65E6-4F63-8DF6-6C03A9BFAF98", "versionEndExcluding": "4.0.9", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D9108CB-DCB5-40DB-889C-26EDB0041342", "versionEndExcluding": "4.1.1", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:karaf:4.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "4C7A0D73-11F9-430A-8E03-49D1E1301777", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:karaf:4.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "37C8767D-D455-452F-B27E-C3A531F1C50F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:karaf:4.0.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "C2A2C83C-6939-4E12-AF43-6932B58C584F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised."}, {"lang": "es", "value": "En Apache Karaf en versiones anteriores a la 3.0.9, 4.0.9 y 4.1.1, cuando la caracter\u00edstica webconsole est\u00e1 instalada en Karaf, est\u00e1 disponible en .../system/console y requiere autenticaci\u00f3n para acceder a ella. Una parte de la consola es un shell/consola Gogo que otorga acceso a la consola de l\u00ednea de comandos de Karaf mediante un navegador web y, cuando se navega hasta ella, est\u00e1 disponible en .../system/console/gogo. Intentar acceder directamente a esa URL requiere autenticaci\u00f3n. Un paquete opcional empleado por algunas aplicaciones es Pax Web Extender Whiteboard, que forma parte de la caracter\u00edstica pax-war y tal vez de otras. Cuando est\u00e1 instalada, la consola Gogo se vuelve disponible en otra URL../gogo/, y esa URL no es segura, lo que otorga acceso a la consola Karaf a usuarios no autenticados. Una mitigaci\u00f3n a este problema es detener/desinstalar manualmente el paquete del plugin Gogo que est\u00e1 instalado con la funcionalidad webconsole, aunque esto elimina la consola de la aplicaci\u00f3n en .../system/console, no solo del endpoint sin autenticar. Tambi\u00e9n se podr\u00eda detener/desinstalar Pax Web Extender Whiteboard, pero otros componentes/aplicaciones podr\u00edan necesitarlo y, por lo tanto, su funcionalidad se ver\u00eda reducida/comprometida."}], "id": "CVE-2018-11787", "lastModified": "2023-11-07T02:51:46.910", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-18T14:29:00.620", "references": [{"source": "security@apache.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://karaf.apache.org/security/cve-2018-11787.txt"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/KARAF-4993"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c%40%3Cdev.karaf.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "karaf: Authentication bypass access to Gogo shell in the webconsole", "id": "1631100", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1631100"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.4", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "status": "draft"}, "cwe": "CWE-287", "details": ["In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.", "Prior to Karaf 3.0.9, Karaf 4.0.9, and Karaf 4.1.1, HTTP endpoints published by Karaf features may also be published under the HTTP web root, in addition to the paths specifically configured by the installed feature. Authentication and access control rules may not cover this additional path, potentially leading to authentication bypass on published features. The Gogo shell provided by the webconsole feature is potentially accessible without authentication as a result."], "name": "CVE-2018-11787", "package_state": [{"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Out of support scope", "package_name": "karaf", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "karaf", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "karaf", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Will not fix", "package_name": "karaf", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:12", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 12 (Pike)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2018-09-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-11787\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-11787\nhttp://karaf.apache.org/security/cve-2018-11787.txt"], "statement": "Open Daylight: The webconsole feature is not installed by default. In RHOSP12 and earlier, when the webconsole feature is installed, the gogo webshell potentially provides access to the Karaf console without authentication.", "threat_severity": "Moderate", "upstream_fix": "Karaf 3.0.9, Karaf 4.0.9, Karaf 4.1.1"}