CVE-2018-11786

Name: CVE-2018-11786
Creator: NVD / NIST
Published: 2018-09-18T14:29:00.357+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.90%

Last modified Jun 17, 2026

CVE-2018-11786 is a vulnerability of currently unknown severity. In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. EPSS estimates a 1.90% chance of exploitation in the next 30 days.

Description

In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. However, this still allows anyone with ssh access to the Karaf process to read and write a large number of files as the Karaf process user.

Metrics

EPSS Probability

1.90%

77.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-269

Affected Software

Vendor	Product	Versions
Apache	Karaf	< 4.2.0

References

http://karaf.apache.org/security/cve-2018-11786.txtPatch, Vendor Advisory
https://issues.apache.org/jira/browse/KARAF-5427Issue Tracking, Patch, Vendor Advisory
https://lists.apache.org/thread.html/5b7ac762c6bbe77ac5d9389f093fc6dbf196c36d788e3d7629e6c1d9%40%3Cdev.karaf.apache.org%3E
http://karaf.apache.org/security/cve-2018-11786.txtPatch, Vendor Advisory
https://issues.apache.org/jira/browse/KARAF-5427Issue Tracking, Patch, Vendor Advisory
https://lists.apache.org/thread.html/5b7ac762c6bbe77ac5d9389f093fc6dbf196c36d788e3d7629e6c1d9%40%3Cdev.karaf.apache.org%3E

Timeline

Published: Sep 18, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-11786?

How severe is CVE-2018-11786?

Severity scoring for CVE-2018-11786 is pending analysis. The EPSS model estimates a 1.90% probability of exploitation in the next 30 days.

How do I fix CVE-2018-11786?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-11786?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST