Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user.
This has been fixed in revision:
Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path.
Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use the correct path.
This issue has been addressed in the following products:
Red Hat Fuse 7.11
Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):