CVE-2023-35887

CWE-22Path TraversalCWE-200Information Exposure10 documents7 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 72.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache Mina SshdApache Sshd
Timeline
PublishedJul 10
Latest updateJul 15

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages5 packages

Mavenorg.apache.sshd:sshd-sftp1.0.02.9.3
NVDapache/sshd1.0.02.9.3
Mavenorg.apache.sshd:sshd-core1.0.02.1.0
Mavenorg.apache.sshd:sshd-common2.1.02.9.3

🔴Vulnerability Details

3
CVEList
Apache MINA SSHD: Information disclosure bugs with RootedFilesystem2023-07-10
GHSA
Apache MINA SSHD information disclosure vulnerability2023-07-10
OSV
Apache MINA SSHD information disclosure vulnerability2023-07-10

📋Vendor Advisories

6
Oracle
Oracle Oracle JD Edwards Risk Matrix: Business Logic Infra SEC (Apache Mina SSHD) — CVE-2023-358872024-07-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Users, roles, credentials, security (Apache Mina) — CVE-2023-358872024-04-15
Oracle
Oracle Oracle Retail Applications Risk Matrix: Internal Operations (Apache Mina SSHD) — CVE-2023-358872024-01-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: General (Apache Mina SSHD) — CVE-2023-358872023-10-15
Red Hat
apache-mina-sshd: information exposure in SFTP server implementations2023-07-10