Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp1070241lqo; Thu, 9 May 2024 04:04:34 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUUgewG+4YWFqnEViPcM5fGz8/07UIEsQmuECvAskfOt0cBRSsArko031CUXgQ0WDLiWbsHBywbxQYGaj7r3/r39uc7Yd+iWG1Ex1XHEw== X-Google-Smtp-Source: AGHT+IE35MRlRWjFEI194LvvksaGznB1nMQrKjZd51S2kGnvp+UmwLLiGotHPPQzqjnbU6Z6Ve44 X-Received: by 2002:a05:622a:11c8:b0:43d:f0e4:65ef with SMTP id d75a77b69052e-43df0e4782amr19038961cf.4.1715252673944; Thu, 09 May 2024 04:04:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715252673; cv=none; d=google.com; s=arc-20160816; b=sXrdquH/r3tHOxALSHu0yq242aP7NSadF2MBbaB8WYn/fJtE9PZNl8wdB8fu3lkylW y6nRt/UtBRxL+d3acZLPhIVtcTe7YaZEdPJQKD5pQy6GlDrPijsAzONz4LWw9MU07MUB O5GScadDsLtnxM9IfvuwRX8WJyzygzs+/QJ8re0YntOPJTyDrM3OGD93IGR6R+8hOlFQ HvRiv4WBvGe+I7HPmfDdU3L2fiZ2IZcYUOTzlPnuYiR7feUUQ4mni3AbCxNCH293oWyg c6KVfopcNYkOP6KurKyFbNSGb61AWwBxg2NlsqwbKmUvK27igKQr7lle98fZ+MtthQ5b /TyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:date:content-transfer-encoding:message-id:to :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=Ml/AzmC6Lvt9fZkMGRjZWNKSf6jmOqA6dAOFfIuWtAU=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=yeEY7bKxwiZmJzPkzjmOwszSE179NGe793aqtRtirLS25zcCXIN5V+fH3HwnMBa52y mwntkvjL0gmJ3WqEaC1lbGHjBwuSgGe5uTTH4BHzctQnl6Nys+fieoWA6VAGeLxSn0RD E1UYGJNXph83fkvaZqcmf3kotHrdTgi6U2D08FKK3EtjF4N9GQrK/Frwi8VMeAuXaiWD JYdephssZMrntOCsXI/qjXVt3XHMwk8qD565ZVnP6Xv+Hb8s1cu84+/bD7EbWsZ6dK5k L0+N4V6ar00NbVHuYo8rdoRuiabGuEDjzKsHZQ4NoFloh6frEPFfmGSef1eZxgZz8Uj9 dCNw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30140-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30140-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id d75a77b69052e-43df56896fesi11720631cf.411.2024.05.09.04.04.33 for ; Thu, 09 May 2024 04:04:33 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30140-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30140-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30140-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 26058 invoked by uid 550); 9 May 2024 10:57:40 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 23670 invoked from network); 9 May 2024 06:49:41 -0000 Authentication-Results: apache.org; auth=none Content-Type: text/plain; charset=utf-8 From: Arnout Engelen To: oss-security@lists.openwall.com Message-ID: <3d1e1b99-b57e-3720-81e5-b9e062276c83@apache.org> Content-Transfer-Encoding: quoted-printable Date: Thu, 09 May 2024 06:48:37 +0000 MIME-Version: 1.0 Subject: [oss-security] CVE-2024-34365: Apache Karaf Cave: Cave SSRF and arbitrary file access Severity: important Affected versions: - Apache Karaf Cave or later Description: ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in = Apache Karaf Cave.This issue affects all versions of Apache Karaf Cave. As this project is retired, we do not plan to release a version that fixes = this issue. Users are recommended to find an alternative or restrict access= to the instance to trusted users.NOTE: This vulnerability only affects = products that are no longer supported by the maintainer. Credit: cigar (finder) References: https://karaf.apache.org/security/cve-2024-34365.txt https://karaf.apache.org/ https://www.cve.org/CVERecord?id=3DCVE-2024-34365