{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "fixed": "3.0.9"
              },
              {
                "introduced": "4.0.0"
              },
              {
                "fixed": "4.0.9"
              },
              {
                "introduced": "4.1.0"
              },
              {
                "fixed": "4.1.1"
              },
              {
                "introduced": "0"
              },
              {
                "last_affected": "4.0.0-milestone1"
              },
              {
                "introduced": "0"
              },
              {
                "last_affected": "4.0.0-milestone2"
              },
              {
                "introduced": "0"
              },
              {
                "last_affected": "4.0.0-milestone3"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "cc35db03bf215514cff03f449febc694de8abb11"
            },
            {
              "introduced": "16ca637a0c6ff362b8c5b4f93895a2d778b2fa15"
            },
            {
              "fixed": "78015102732b275e5775d29a988cc00ad0071f66"
            },
            {
              "introduced": "d10ef312d12f18dd38dd1af70c9c96e7b7f9354b"
            },
            {
              "fixed": "74a801a8e559f2899e47edd381cdff136808cd12"
            },
            {
              "introduced": "0"
            },
            {
              "last_affected": "f5956bff28a8712edd530b5103a448bf0333135d"
            },
            {
              "introduced": "0"
            },
            {
              "last_affected": "8d709021811fc6fc5f62997d99015b0c9c650532"
            },
            {
              "introduced": "0"
            },
            {
              "last_affected": "75c68ac010caddcc35601630e715dc8c09e3b3eb"
            }
          ],
          "repo": "https://github.com/apache/karaf",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.",
  "id": "CVE-2018-11787",
  "modified": "2026-03-13T21:49:15.177749671Z",
  "published": "2018-09-18T14:29:00.620Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c%40%3Cdev.karaf.apache.org%3E"
    },
    {
      "type": "ADVISORY",
      "url": "https://issues.apache.org/jira/browse/KARAF-4993"
    },
    {
      "type": "FIX",
      "url": "http://karaf.apache.org/security/cve-2018-11787.txt"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}