2046279 – (CVE-2022-22932) CVE-2022-22932 karaf: path traversal flaws

Bug 2046279 (CVE-2022-22932) - CVE-2022-22932 karaf: path traversal flaws

Summary: CVE-2022-22932 karaf: path traversal flaws

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-22932
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2046286
TreeView+	depends on / blocked

Reported:	2022-01-26 14:02 UTC by Guilherme de Almeida Suckevicz
Modified:	2022-07-07 18:38 UTC (History)
CC List:	27 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Apache Karaf obr:* command, where a partial path traversal issue allows a break out of the expected folder. This entry is set by the user.
Clone Of:
Environment:
Last Closed:	2022-07-07 18:38:29 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5532	0	None	None	None	2022-07-07 14:22:07 UTC

Description Guilherme de Almeida Suckevicz 2022-01-26 14:02:59 UTC

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user.

This has been fixed in revision:
https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4
https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf

Mitigation:
Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path.

JIRA Tickets:
https://issues.apache.org/jira/browse/KARAF-7326

Comment 8 jprivett 2022-03-22 17:46:46 UTC

Mitigation:
Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use the correct path.

Comment 12 errata-xmlrpc 2022-07-07 14:22:03 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532

Comment 13 Product Security DevOps Team 2022-07-07 18:38:26 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-22932

Note You need to log in before you can comment on or make changes to this bug.

aileenc
akoufoud
alazarot
anstephe
ataylor
chazlett
drieden
etirelli
gmalinko
hbraun
ibek
janstey
jnethert
jochrist
jprivett
jrokos
jross
jstastny
jwon
krathod
kverlaen
mnovotny
pantinor
pdelbell
pjindal
rrajasek
tzimanyi