CVE-2019-0226

MEDIUM

Apache Karaf < 4.2.5 - Path Traversal and Arbitrary File Write via Config Service Install Method

Title source: llm

Description

Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later.

References (2)

Core 2

Core References

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/1baa6f1df0e95fb1cd679067117354af2ab4423277d9a0ff6e8bf790%40%3Cdev.karaf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r218c7e017af0a860ae21bf7ab77520fd2070c8f52db680eeec03a266%40%3Ccommits.karaf.apache.org%3E

Scores

CVSS v3 4.9

EPSS 0.0162

EPSS Percentile 82.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (2)

apache/karaf < 4.2.5

org.apache.karaf.config/org.apache.karaf.config.core 0 - 4.2.5Maven

Published May 09, 2019

Tracked Since Feb 18, 2026