Описание
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.
A flaw was found in the Apache Karaf XMLInputFactory, where it does not prevent External Entity Processing (XXE). This is a potential security risk as an attacker could inject external XML entities to access sensitive information or conduct further attacks.
Отчет
Red Hat OpenStack Platform: Karaf is used by RHOSP's OpenDaylight, and this flaw impacts the loading of XML documents within Karaf, allowing arbitrary XML to be injected into parsed documents. The impact of this vulnerability is reduced in OpenDaylight, given karaf is an administrative component and not normally exposed to public networks or non-privileged users, and therefore will not be fixed at this time. Fuse 7: The impact of this vulnerability is reduced, as exploiting it would require a authenticated user, and no unsecured endpoints are exposed to the network
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | karaf | Affected | ||
| Red Hat JBoss A-MQ 6 | karaf | Will not fix | ||
| Red Hat JBoss Fuse 6 | karaf | Will not fix | ||
| Red Hat JBoss Fuse Service Works 6 | karaf | Will not fix | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 14 (Rocky) | opendaylight | Out of support scope | ||
| Red Hat OpenStack Platform 8 (Liberty) | opendaylight | Out of support scope | ||
| Red Hat OpenStack Platform 9 (Mitaka) | opendaylight | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.
Apache Karaf provides a features deployer, which allows users to "hot ...
Уязвимость класса XMLInputFactory контейнера OSGi Apache Karaf, позволяющая нарушителю выполнить произвольный код
EPSS
7.3 High
CVSS3