martin-traverse opened a new issue, #453: URL: https://github.com/apache/mina-sshd/issues/453
### Version 2.11 ### Bug description Using Apache SSHD is now causing projects to fail security scanning due to CVE-2023-48795. Appreciate this is a much wider issue than just this project. Details of the vulnerability are already available publicly here: https://nvd.nist.gov/vuln/detail/CVE-2023-48795#range-10212309 Are there any plans to address this issue? For example by disabling use of the affected extensions unless some explicit configuration is passed, e.g. AllowUnsafeExtensions? ### Actual behavior Using the Apache SSHD libraries causes projects to fail vulnerability scanning. Currently the only option is to use an exclusion for this vulnerability, so it can be exploited if a site is misconfigured. ### Expected behavior Affected extensions are disabled by default so the vulnerability cannot be exploited without explicit configuration. An updated version of SSHD passes security scanning. ### Relevant log output _No response_ ### Other information _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
