CVE-2022-22932 - OpenCVE

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Karaf
Redhat	Jboss Fuse

Configuration 1 [-]

OR	cpe:2.3:a:apache:karaf::::::::
	cpe:2.3:a:apache:karaf::::::::

Package	CPE	Advisory	Released Date
Red Hat Fuse 7.11
karaf	cpe:/a:redhat:jboss_fuse:7	RHSA-2022:5532	2022-07-07T00:00:00Z

References

Link	Providers
https://karaf.apache.org/security/cve-2022-22932.txt
https://nvd.nist.gov/vuln/detail/CVE-2022-22932
https://www.cve.org/CVERecord?id=CVE-2022-22932

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-01-26T11:10:12

Updated: 2024-08-03T03:28:42.479Z

Reserved: 2022-01-10T00:00:00

Link: CVE-2022-22932

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-26T11:15:09.583

Modified: 2022-02-03T14:51:01.617

Link: CVE-2022-22932

Redhat

Severity : Low

Publid Date: 2022-01-09T00:00:00Z

Links: CVE-2022-22932 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Apache Karaf", "vendor": "Apache Software Foundation", "versions": [{"changes": [{"at": "4.3.6", "status": "unaffected"}], "lessThan": "4.2.15", "status": "affected", "version": "Apache Karaf", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This issue was discovered and reported by GHSL team member Jaroslav Lobacevski"}], "descriptions": [{"lang": "en", "value": "Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326"}], "metrics": [{"other": {"content": {"other": "The risk is low as obr:* commands are not very used and the entry is set by user."}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"description": "Path traversal flaws", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-26T11:10:12", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://karaf.apache.org/security/cve-2022-22932.txt"}], "source": {"discovery": "UNKNOWN"}, "title": "Path traversal flaws", "workarounds": [{"lang": "en", "value": "Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-22932", "STATE": "PUBLIC", "TITLE": "Path traversal flaws"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Karaf", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache Karaf", "version_value": "4.2.15"}, {"version_affected": "<", "version_name": "Apache Karaf", "version_value": "4.3.6"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "This issue was discovered and reported by GHSL team member Jaroslav Lobacevski"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "The risk is low as obr:* commands are not very used and the entry is set by user."}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Path traversal flaws"}]}]}, "references": {"reference_data": [{"name": "https://karaf.apache.org/security/cve-2022-22932.txt", "refsource": "MISC", "url": "https://karaf.apache.org/security/cve-2022-22932.txt"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:28:42.479Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://karaf.apache.org/security/cve-2022-22932.txt"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-22932", "datePublished": "2022-01-26T11:10:12", "dateReserved": "2022-01-10T00:00:00", "dateUpdated": "2024-08-03T03:28:42.479Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*", "matchCriteriaId": "B465DE0D-5C3B-4D0E-8A6B-503D8E710BF9", "versionEndExcluding": "4.2.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*", "matchCriteriaId": "66C13A93-7FBA-4B73-A3F1-20E204A34006", "versionEndExcluding": "4.3.6", "versionStartIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326"}, {"lang": "es", "value": "Los comandos de Apache Karaf obr:* y el objetivo de ejecuci\u00f3n en el karaf-maven-plugin tienen un salto de ruta parcial que permite salirse de la carpeta esperada. El riesgo es bajo ya que los comandos obr:* no son muy usados y la entrada es establecida por el usuario. Esto ha sido corregido en la revisi\u00f3n: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigaci\u00f3n: Los usuarios de Apache Karaf deben actualizar a versiones 4.2.15 o 4.3.6 o posteriores lo antes posible, o usar la ruta correcta. Entradas de JIRA: https://issues.apache.org/jira/browse/KARAF-7326"}], "id": "CVE-2022-22932", "lastModified": "2022-02-03T14:51:01.617", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-26T11:15:09.583", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://karaf.apache.org/security/cve-2022-22932.txt"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "karaf", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}], "bugzilla": {"description": "karaf: path traversal flaws", "id": "2046279", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2046279"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326", "A flaw was found in the Apache Karaf obr:* command, where a partial path traversal issue allows a break out of the expected folder. This entry is set by the user."], "name": "CVE-2022-22932", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Out of support scope", "package_name": "karaf", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Will not fix", "package_name": "karaf", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "karaf", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "karaf", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "karaf", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Out of support scope", "package_name": "karaf", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Out of support scope", "package_name": "karaf", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "karaf", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "karaf", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "karaf", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "karaf", "product_name": "Red Hat Process Automation 7"}], "public_date": "2022-01-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-22932\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-22932"], "threat_severity": "Low"}