Apache Karaf is vulnerable to directory traversal. The vulnerability exists as it does not prevent the use of relative path in the installation of the config service or MBean, allowing an attacker to overwrite existing files.
mail-archives.apache.org/mod_mbox/karaf-dev/201905.mbox/%[email protected]%3E
github.com/apache/karaf/pull/805
issues.apache.org/jira/browse/KARAF-6230
lists.apache.org/thread.html/1baa6f1df0e95fb1cd679067117354af2ab4423277d9a0ff6e8bf790@%3Cdev.karaf.apache.org%3E
lists.apache.org/thread.html/r218c7e017af0a860ae21bf7ab77520fd2070c8f52db680eeec03a266@%3Ccommits.karaf.apache.org%3E