Apache Karaf webconsole Feature Unauthorized Access VulnerabilitySeptember 20, 2018 am30 1:55 am

A vulnerability in the webconsole feature of Apache Karaf could allow an unauthenticated, remote attacker to gain unauthorized access to the Gogo shell on a targeted system.

The vulnerability is due to improper security restrictions imposed by the affected software. If the Pax Web Extender Whiteboard bundle is installed on an affected system, the Gogo console, which is part of the webconsole feature, could become available at an unsecured URL. An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted system. An exploit could allow the attacker to gain unauthorized access to the Gogo shell in the webconsole feature of the system, which the attacker could use to conduct further attacks.

Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.

Apache confirmed the vulnerability and released software updates.

Security Impact Rating: High

CVE: CVE-2018-11787

%d bloggers like this: