Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2019-0226 |
CWE-ID | CWE-22 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Karaf Server applications / Application servers |
Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU18431
Risk: Low
CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-0226
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to input validation error when processing directory traversal sequences within the Apache Karaf Config service that provides an install method via service or MBean. A remote authenticated attacker can use directory traversal characters to overwrite arbitrary files on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKaraf: 1.0.0 - 4.2.4
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.