CVE-2020-11980

In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as "viewer" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a "viewer" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer.

CVSS v3 6.3 MEDIUM
CVSS v2.0 6.5 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://karaf.apache.org/security/cve-2020-11980.txt	Vendor Advisory
http://karaf.apache.org/security/cve-2020-11980.txt	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:59

Type	Values Removed	Values Added
References	~~() http://karaf.apache.org/security/cve-2020-11980.txt - Vendor Advisory~~	() http://karaf.apache.org/security/cve-2020-11980.txt - Vendor Advisory

Information

Published : 2020-06-12 22:15

Updated : 2024-11-21 04:59

NVD link : CVE-2020-11980

Mitre link : CVE-2020-11980

CVE.ORG link : CVE-2020-11980

JSON object : View

Products Affected

apache

karaf

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2020-11980", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2020-06-12T22:15:11.473", "references": [{"url": "http://karaf.apache.org/security/cve-2020-11980.txt", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://karaf.apache.org/security/cve-2020-11980.txt", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an \"admin\" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a \"viewer\" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as \"viewer\" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a \"viewer\" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer."}, {"lang": "es", "value": "En Karaf, la autenticaci\u00f3n JMX se lleva a cabo usando JAAS y la autorizaci\u00f3n utilizando archivos de ACL. Por defecto, solo un \"admin\" puede invocar actualmente en un MBean. Sin embargo, se presenta una vulnerabilidad para alguien que no es administrador, pero que tiene un rol de \"viewer\". En \"etc/jmx.acl.cfg\", como el role puede llamar a get*. Es posible autenticarse como un rol viewer + invocar en el m\u00e9todo MLet getMBeansFromURL, que se env\u00eda hacia un servidor remoto para obtener el MBean deseado, que luego se registra en Karaf. En este punto, se presenta un fallo en el ataque ya que el \"viewer\" no tiene permiso para invocar en el MBean. A\u00fan as\u00ed, podr\u00eda actuar como un ataque de estilo SSRF y tambi\u00e9n esencialmente permite que un rol de \"viewer\" contamine el registro MBean, que es un tipo de escalada de privilegios. La vulnerabilidad es baja ya que es posible agregar una ACL para limitar el acceso. Los usuarios deben actualizar a Apache Karaf versiones 4.2.9 o mas recientes"}], "lastModified": "2024-11-21T04:59:02.447", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7EA828D5-CB5C-45F1-9522-B5CF5E4C3E5F", "versionEndExcluding": "4.2.9"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}