oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-35887: Apache MINA SSHD: Information disclosure bugs with RootedFilesystem

From: Guillaume Nodet <gnodet () apache org>
Date: Fri, 07 Jul 2023 12:34:46 +0000
Affected versions:

- Apache MINA SSHD 1.0 before 2.10

Description:

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.

In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover 
"exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") 
beyond the root, or involving symlinks.

This issue affects Apache MINA: from 1.0 before 2.10.

Thanks to Andrew Pikler for discovering the issue and helping to fix it.

This issue is being tracked as SSHD-1324 

References:

https://mina.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-35887
https://issues.apache.org/jira/browse/SSHD-1324
Previous By Date Next
Previous By Thread Next

Current thread: