GHSA-9jg9-6wm2-x7p5

Suggest an improvement
Source
https://github.com/advisories/GHSA-9jg9-6wm2-x7p5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-9jg9-6wm2-x7p5/GHSA-9jg9-6wm2-x7p5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9jg9-6wm2-x7p5
Aliases
Published
2022-02-10T23:04:32Z
Modified
2023-11-21T12:01:59.241961Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Server-Side Request Forgery in Karaf
Details

In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as "viewer" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a "viewer" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer.

Database specific
{
    "nvd_published_at": "2020-06-12T22:15:00Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-13T15:36:05Z"
}
References

Affected packages

Maven / org.apache.karaf.management:org.apache.karaf.management.server

Package

Name
org.apache.karaf.management:org.apache.karaf.management.server
View open source insights on deps.dev
Purl
pkg:maven/org.apache.karaf.management/org.apache.karaf.management.server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.9

Affected versions

2.*

2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.3.11
2.3.12
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4

3.*

3.0.0.RC1
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10

4.*

4.0.0.M1
4.0.0.M2
4.0.0.M3
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.2.0.M1
4.2.0.M2
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8