CVE-2022-45047

CWE-502 — Deserialization of Untrusted Data11 documents7 sources

Severity

9.8CRITICAL

EPSS

5.1%

top 10.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Mina Sshd Apache Sshd

Timeline

PublishedNov 16

Latest updateJan 15

Description

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5apache_software_foundation/apache_mina_sshdunspecified — 2.9.1

▶Mavenorg.apache.sshd:sshd-core< 2.9.2

▶Mavenorg.apache.sshd:sshd-common< 2.9.2

▶NVDapache/sshd2.9.1

🔴Vulnerability Details

OSV

Unsafe deserialization in Apache MINA SSHD↗2022-11-16

▶

GHSA

Unsafe deserialization in Apache MINA SSHD↗2022-11-16

▶

CVEList

Apache MINA SSHD: Java unsafe deserialization vulnerability↗2022-11-16

▶

📋Vendor Advisories

Oracle

Oracle Oracle Analytics Risk Matrix: Core (Apache Mina SSHD) — CVE-2022-45047↗2026-01-15

▶

Oracle

Oracle Oracle Enterprise Manager Risk Matrix: Agent Next Gen (Apache Mina SSHD) — CVE-2022-45047↗2025-04-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: core module (Apache Mina SSHD) — CVE-2022-45047↗2023-07-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: BEServer (Apache Mina SSHD) — CVE-2022-45047↗2023-04-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: RDA - Remote Diagnostic Agent (Apache Mina SSHD) — CVE-2022-45047↗2023-01-15

▶