org.apache.karaf.shell.core is vulnerable to arbitrary file read and write. A user with rights to the Karaf console is able to read or write any file on the file system, which would allow an attacker with access to the sshd
service to abuse the vulnerability to read or write arbitrary files on the file system to which the Karaf process user has access.
karaf.apache.org/security/cve-2018-11786.txt
gitbox.apache.org/repos/asf?p=karaf.git;h=24fb477
github.com/apache/karaf/commit/24fb477ea886e8f294dedbad98d2a2c4cb2a44f9
issues.apache.org/jira/browse/KARAF-5427
lists.apache.org/thread.html/5b7ac762c6bbe77ac5d9389f093fc6dbf196c36d788e3d7629e6c1d9@%3Cdev.karaf.apache.org%3E