CVE-2019-0191: Moderate severity vulnerability that affects org.apache.karaf:apache-karaf and org.apache.karaf:karaf
6.5
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.karaf:karaf | maven | < 4.2.3 | 4.2.3 |
org.apache.karaf:apache-karaf | maven | < 4.2.3 | 4.2.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on insecure path handling during KAR archive extraction. Based on: 1) CVE description specifying processing of 'repository/' and 'resources/' entries 2) Standard Zip-slip vulnerability patterns involving zip entry name validation 3) Karaf's architecture where KarDeployer
handles KAR
file deployment. The extractResources
and extractRepository
methods are explicitly mentioned in the vulnerability description as processing vulnerable paths. The writeEntry
method (likely an inner class method) would be responsible for the actual file write operations using untrusted paths. These functions would appear in stack traces during malicious KAR
file processing as they handle the path concatenation and file write operations without validation in vulnerable versions.