CVE-2022-22932

Path traversal flaws

Description

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326

Remediation

Workaround:

  • Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.60%
Vendor Advisory apache.org
Affected: Apache Software Foundation Apache Karaf
Published at:
Updated at:

References

Link Tags
https://karaf.apache.org/security/cve-2022-22932.txt vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-22932?
CVE-2022-22932 has been scored as a medium severity vulnerability.
How to fix CVE-2022-22932?
As a workaround for remediating CVE-2022-22932: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path.
Is CVE-2022-22932 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-22932 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-22932?
CVE-2022-22932 affects Apache Software Foundation Apache Karaf.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.