Apache karaf
This hub aggregates every CVE we track for Apache karaf, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
OSS Librarieslibrary
9
CVEs tracked
2
Critical
3
High
0
In CISA KEV
Severity distribution
HIGH3MEDIUM3CRITICAL2LOW1
Monthly trend
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
2024-082026-07
Latest CVEs
The 9 most recently published vulnerabilities affecting Apache karaf.
- CVE-2026-24656Apache Karaf: Decanter log-socket collector has deserialization vulnerability3.7
- CVE-2022-40145Apache Karaf: JDBC JAAS LDAP injection9.8
- CVE-2022-22932Path traversal flaws5.3
- CVE-2021-41766Insecure Java Deserialization in Apache Karaf8.1
- CVE-2019-0191Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo...6.5
- CVE-2018-11788Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class....9.8
- CVE-2018-11786In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/wri...8.8
- CVE-2018-11787In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of ...8.1
- CVE-2016-8750Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attack...6.5
Product normalization is registry-driven with AI assist and human review. How it works