VulnerableCode Package Details - pkg:maven/org.apache.karaf/apache-karaf@4.0.10

Search for packages

Vulnerability	Summary	Fixed by
VCID-gq9d-gg4k-ebhd Aliases: CVE-2018-11786 GHSA-9448-c9wq-jg9v		4.2.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-vs7q-k273-4bcb Aliases: CVE-2019-0191 GHSA-869j-5855-hjpm	Path Traversal Apache Karaf kar deployer reads `.kar` archives and extracts the paths from the `repository/` and `resources/` entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it does not do any validation on the paths in the zip file. This means that a malicious user could craft a .kar file with `..` directory names and break out of the directories to write arbitrary content to the filesystem.	4.2.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-gq9d-gg4k-ebhd
Aliases:
CVE-2018-11786
GHSA-9448-c9wq-jg9v

4.2.0
Affected by 1 other vulnerability.

VCID-vs7q-k273-4bcb
Aliases:
CVE-2019-0191
GHSA-869j-5855-hjpm

Path Traversal Apache Karaf kar deployer reads `.kar` archives and extracts the paths from the `repository/` and `resources/` entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it does not do any validation on the paths in the zip file. This means that a malicious user could craft a .kar file with `..` directory names and break out of the directories to write arbitrary content to the filesystem.

4.2.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-mvy5-xw6x-y7h2	Improper Input Validation Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.	CVE-2014-0219 GHSA-m6g3-xq5q-4hg9

Vulnerability

Summary

Aliases

VCID-mvy5-xw6x-y7h2

Improper Input Validation Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.

CVE-2014-0219
GHSA-m6g3-xq5q-4hg9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T11:33:29.278742+00:00	GithubOSV Importer	Fixing	VCID-mvy5-xw6x-y7h2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m6g3-xq5q-4hg9/GHSA-m6g3-xq5q-4hg9.json	38.6.0
2026-05-31T09:54:58.590981+00:00	GitLab Importer	Affected by	VCID-vs7q-k273-4bcb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.karaf/apache-karaf/CVE-2019-0191.yml	38.6.0
2026-05-31T09:52:36.402845+00:00	GitLab Importer	Affected by	VCID-gq9d-gg4k-ebhd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.karaf/apache-karaf/CVE-2018-11786.yml	38.6.0
2026-05-30T20:59:05.803739+00:00	GitLab Importer	Fixing	VCID-mvy5-xw6x-y7h2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.karaf/apache-karaf/CVE-2014-0219.yml	38.6.0