A vulnerability in Apache Karaf could allow an unauthenticated, remote attacker to gain access to sensitive information or consume memory resources on a targeted system.
The vulnerability is due to improper processing of XML data by the hot deploy feature of the affected software. An attacker could exploit this vulnerability by persuading a user to open an XML file that submits malicious input to the targeted system. A successful exploit could cause an XML External Entity (XXE) injection attack, allowing the attacker to gain access to sensitive information or consume memory resources on the targeted system.
Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.
Apache confirmed the vulnerability and released software updates.
Security Impact Rating: Medium