CVE-2019-0226 — Apache Karaf vulnerable to relative path traversal

Description

Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later.

How to fix CVE-2019-0226

To remediate CVE-2019-0226, upgrade the affected package to a fixed version below.

—upgrade to 4.2.5 or later

Is CVE-2019-0226 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.2.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-0226
PATCHgithub.com/apache/karaf
WEBgithub.com/apache/karaf/pull/805
WEBissues.apache.org/jira/browse/KARAF-6230
WEB