This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/karaf-site.git
The following commit(s) were added to refs/heads/trunk by this push:
new 535b660 Publish advisory for CVE-2026-24656
535b660 is described below
commit 535b6603e3416fe93202532d45e68f08a3f52fab
Author: JB Onofré <[email protected]>
AuthorDate: Sat Jan 24 07:23:14 2026 +0100
Publish advisory for CVE-2026-24656
---
documentation.html | 4 ++++
security/cve-2026-24656.txt | 47 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+)
diff --git a/documentation.html b/documentation.html
index 3db238a..571ec2c 100644
--- a/documentation.html
+++ b/documentation.html
@@ -361,6 +361,10 @@ permalink: /documentation
<p>CVE-2024-34365: Cave SSRF and arbitrary file access</p>
<a class="btn btn-outline-primary"
href="/security/cve-2024-34365.txt">Notes »</a>
</div>
+ <div class="pb-4 mb-3">
+ <p>CVE-2026-24656: Decanter log socket collector:
Deserialization of Untrusted Data</p>
+ <a class="btn btn-outline-primary"
href="/security/cve-2026-24656.txt">Notes »</a>
+ </div>
</div><!-- /.blog-main -->
</div>
diff --git a/security/cve-2026-24656.txt b/security/cve-2026-24656.txt
new file mode 100644
index 0000000..d172b01
--- /dev/null
+++ b/security/cve-2026-24656.txt
@@ -0,0 +1,47 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+CVE-2026-24656: Apache Karaf Decanter: Deserialization of Untrusted Data
Vulnerability
+
+Severity: important
+
+Affected versions:
+
+- - Apache Karaf Decanter, versions before 2.12.0
+
+Description:
+
+The Decanter log socket collector exposes the port 4560, without
authentication.
+
+If the collector exposes allowed classes property, this configuration can be
bypassed.
+It means that the log socket collector is vulnerable to deserialization of
untrusted data, eventually causing DoS.
+
+NB: Decanter log socket collector is not installed by default. Users who have
not installed Decanter log socket are not impacted by this issue.
+
+This issue affects Apache Karaf Decanter before 2.12.0
+.Users are recommended to upgrade to version 2.12.0, which fixes the issue.
+
+Credit:
+
+r00t4dm (finder)
+
+References:
+
+https://karaf.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-24656
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAml0Y90ACgkQv/LuQsgo
+LnbDvQ/+Mj+1F1UnYqr2LR2XVlecQxUX+ldyh6Qqzy3599T6y/s7CwVr3C/J3p8T
+Hjx5smd4fjSRaq6QpPCf0uqsIKhlQwh0gWcuAAf0Msi43qyfRdlDJj1py+Qdeoqb
+IrhRDJvyVIvMwN38CKQfqrw25HJZxAArj1kETNQIRq5daKInnP2hMmIudrWLMEXH
+k/TJZnVGLZnOgUZW0Kb2JICzbH9aS5AmSjOeYGiHqk/VX3ba95i/ozd+3ZGksIil
+lQzpPgF9jtKiZ1lt0PzolJB/X11ggvJzsWHsQbzAjOWxbuBc+2EsHSOj3UkHyuQs
+NLy5C1YunjHj0b/EKmSneE8V1yfG+ms64JtB+719Ap9AWGQE/5zdwmJn8lEc0jDQ
+0IGBOLlnp3Kz50ZNV5Wob83lm1RApeZA3PtimCq5gWtXtS2TX72vxrfbbLOoA9tK
+CrPWJtAvXsReSMTAkUeejRxtE2v2FVUSXe89jmd1O5gZRXcAoOhl3Jj6w+OwBHii
+bm4iv88ZZAiUTcy5xpmzcs8cUI4VNHwVJkbprRIRJA0Fjc2mKSkjfdnoKk4AgUIj
+Czl7o+ee+gvtIZVRrkmg3IclG5PNrXJyRILSvdCBtQmZeTKez5GsCeA0+fNMKuaz
+Me+jXUv2oJawvAB+GiRMZbgf6Hq/fekG6KrGpiunCLq95CGQxJQ=
+=00dQ
+-----END PGP SIGNATURE-----
