CVE-2019-0191

Name of the Vulnerable Software and Affected Versions: Apache Karaf versions prior to 4.2.3

Description: The issue arises from the Apache Karaf kar deployer's failure to validate paths in .kar archives, allowing a malicious user to craft a .kar file with ".." directory names and write arbitrary content to the filesystem, known as the "Zip-slip" vulnerability. The impact of this issue is mitigated if the Karaf process user has limited permission on the filesystem.

Recommendations: For versions prior to 4.2.3, update to version 4.2.3 or later to resolve the issue. As a temporary workaround, consider restricting the permissions of the Karaf process user on the filesystem to minimize the risk of exploitation.