{"containers":{"cna":{"affected":[{"product":"Apache Karaf","vendor":"Apache Software Foundation","versions":[{"status":"affected","version":"prior to 3.0.9"},{"status":"affected","version":"4.0.x prior to 4.0.9"},{"status":"affected","version":"4.1.x prior to 4.1.1"}]}],"datePublic":"2018-09-18T00:00:00.000Z","descriptions":[{"lang":"en","value":"In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised."}],"problemTypes":[{"descriptions":[{"description":"Unsecure Access","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2018-09-18T13:57:02.000Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://issues.apache.org/jira/browse/KARAF-4993"},{"name":"[karaf-dev] 20180918 [SECURITY] New security advisory for CVE-2018-11787 released for Apache Karaf","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c%40%3Cdev.karaf.apache.org%3E"},{"tags":["x_refsource_CONFIRM"],"url":"http://karaf.apache.org/security/cve-2018-11787.txt"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","DATE_PUBLIC":"2018-09-18T00:00:00","ID":"CVE-2018-11787","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Karaf","version":{"version_data":[{"version_value":"prior to 3.0.9"},{"version_value":"4.0.x prior to 4.0.9"},{"version_value":"4.1.x prior to 4.1.1"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Unsecure Access"}]}]},"references":{"reference_data":[{"name":"https://issues.apache.org/jira/browse/KARAF-4993","refsource":"CONFIRM","url":"https://issues.apache.org/jira/browse/KARAF-4993"},{"name":"[karaf-dev] 20180918 [SECURITY] New security advisory for CVE-2018-11787 released for Apache Karaf","refsource":"MLIST","url":"https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c@%3Cdev.karaf.apache.org%3E"},{"name":"http://karaf.apache.org/security/cve-2018-11787.txt","refsource":"CONFIRM","url":"http://karaf.apache.org/security/cve-2018-11787.txt"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-05T08:17:09.210Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://issues.apache.org/jira/browse/KARAF-4993"},{"name":"[karaf-dev] 20180918 [SECURITY] New security advisory for CVE-2018-11787 released for Apache Karaf","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c%40%3Cdev.karaf.apache.org%3E"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://karaf.apache.org/security/cve-2018-11787.txt"}]}]},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2018-11787","datePublished":"2018-09-18T14:00:00.000Z","dateReserved":"2018-06-05T00:00:00.000Z","dateUpdated":"2024-09-17T02:16:58.807Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}