Home > Vulnerability Database > CVE-2022-22932

Mend.io Vulnerability Database

CVE-2022-22932

Good to know:

Date: January 26, 2022

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326

Language: Java

Severity Score

5.3

Related Resources (8)

Url: https://issues.apache.org/jira/browse/KARAF-7326

Url: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4

Url: https://github.com/apache/karaf/pull/1485

Url: https://karaf.apache.org/security/cve-2022-22932.txt

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-22932

Url: https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf

Url: https://github.com/apache/karaf

Url: https://www.mend.io/vulnerability-database/CVE-2022-22932

Severity Score

5.3

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.3;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.3;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.3;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.15;org.apache.karaf.obr:org.apache.karaf.obr.core:3.0.8;org.apache.karaf.obr:org.apache.karaf.obr.core:4.0.0;org.apache.karaf.obr:org.apache.karaf.obr.core:4.0.4;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.0.M2;org.apache.karaf.obr:org.apache.karaf.obr.core:4.0.7;org.apache.karaf.obr:org.apache.karaf.obr.core:3.0.6;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.6;org.apache.karaf.obr:org.apache.karaf.obr.core:4.0.9;org.apache.karaf.obr:org.apache.karaf.obr.core:4.1.1;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.15;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.11;org.apache.karaf.obr:org.apache.karaf.obr.core:4.3.5;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.15;org.apache.karaf.obr:org.apache.karaf.obr.core:4.1.3;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.7;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.15;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.3;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.15;org.apache.karaf.obr:org.apache.karaf.obr.core:4.1.6;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.15;org.apache.karaf.obr:org.apache.karaf.obr.core:4.2.9;org.apache.karaf.tooling:karaf-maven-plugin:4.2.5;org.apache.karaf.tooling:karaf-maven-plugin:4.2.0.M1;org.apache.karaf.tooling:karaf-maven-plugin:4.2.13;org.apache.karaf.tooling:karaf-maven-plugin:4.2.1;org.apache.karaf.tooling:karaf-maven-plugin:4.1.0;org.apache.karaf.tooling:karaf-maven-plugin:4.2.13;org.apache.karaf.tooling:karaf-maven-plugin:4.0.1;org.apache.karaf.tooling:karaf-maven-plugin:3.0.2;org.apache.karaf.tooling:karaf-maven-plugin:4.1.0;org.apache.karaf.tooling:karaf-maven-plugin:4.2.1;org.apache.karaf.tooling:karaf-maven-plugin:4.3.0;org.apache.karaf.tooling:karaf-maven-plugin:4.1.4;org.apache.karaf.tooling:karaf-maven-plugin:4.3.4;org.apache.karaf.tooling:karaf-maven-plugin:4.2.12;org.apache.karaf.tooling:karaf-maven-plugin:4.2.1;org.apache.karaf.tooling:karaf-maven-plugin:4.2.13;org.apache.karaf.tooling:karaf-maven-plugin:3.0.9;org.apache.karaf.tooling:karaf-maven-plugin:4.0.4;org.apache.karaf.tooling:karaf-maven-plugin:4.0.8;org.apache.karaf.tooling:karaf-maven-plugin:4.2.12;org.apache.karaf.tooling:karaf-maven-plugin:4.0.4;org.apache.karaf.tooling:karaf-maven-plugin:4.2.1;org.apache.karaf.tooling:karaf-maven-plugin:4.1.0;org.apache.karaf.tooling:karaf-maven-plugin:4.2.12;org.apache.karaf.tooling:karaf-maven-plugin:4.2.11;org.apache.karaf.tooling:karaf-maven-plugin:4.1.0;org.apache.karaf.tooling:karaf-maven-plugin:4.0.4;org.apache.karaf.tooling:karaf-maven-plugin:4.3.6;org.apache.karaf.tooling:karaf-maven-plugin:4.2.11;org.apache.karaf.tooling:karaf-maven-plugin:4.0.0.M1;org.apache.karaf.tooling:karaf-maven-plugin:4.1.0;org.apache.karaf.tooling:karaf-maven-plugin:4.2.1;org.apache.karaf.tooling:karaf-maven-plugin:4.2.8;org.apache.karaf.tooling:karaf-maven-plugin:3.0.5;org.apache.karaf.tooling:karaf-maven-plugin:4.2.8;org.apache.karaf.tooling:karaf-maven-plugin:4.2.13

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-22932

Good to know:

Date: January 26, 2022

Language: Java

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?