CVE-2020-11980

Name of the Vulnerable Software and Affected Versions Apache Karaf versions prior to 4.2.9

Description The issue concerns JMX authentication and authorization in Karaf, where a user with a "viewer" role can invoke certain methods, potentially leading to a SSRF style attack and privilege escalation by polluting the MBean registry. By default, only an "admin" can invoke on an MBean, but a "viewer" role can call get* methods. An attacker can authenticate as a "viewer" and invoke the MLet getMBeansFromURL method, which fetches an MBean from a remote server and registers it in Karaf. Although the attack fails due to lack of permission to invoke on the MBean, it can still cause issues. The vulnerability can be mitigated by adding an ACL to limit access.

Recommendations Update to Apache Karaf 4.2.9 or newer. As a temporary workaround, consider adding an ACL to limit access to the getMBeansFromURL method for "viewer" roles. Restrict access to the MLet getMBeansFromURL method to minimize the risk of exploitation.