Apache · Apache Karaf · CVE-2021-41766
**Name of the Vulnerable Software and Affected Versions**
Apache Karaf (affected versions not specified)
**Description**
The issue concerns Apache Karaf's use of Java Management Extensions (JMX) for monitoring applications and the Java runtime. JMX relies on Java serialized objects for client-server communication, and the implementation used by Apache Karaf is not protected against unauthenticated deserialization attacks. The impact of Java deserialization vulnerabilities depends on the classes available within the target's class path. Deserialization of untrusted data represents a high security risk and should be prevented. By default, Karaf uses a limited set of classes in the JMX server class path, which reduces the risk.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.