CVE-2023-35887: Apache MINA SSHD: Information disclosure bugs with RootedFilesystem

Guillaume Nodet Fri, 07 Jul 2023 05:34:50 -0700

Affected versions:

- Apache MINA SSHD 1.0 before 2.10


Description:

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in 
Apache Software Foundation Apache MINA.

In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, 
logged users may be able to discover "exists/does not exist" information about 
items outside the rooted tree via paths including parent navigation ("..") 
beyond the root, or involving symlinks.

This issue affects Apache MINA: from 1.0 before 2.10.

Thanks to Andrew Pikler for discovering the issue and helping to fix it.

This issue is being tracked as SSHD-1324 

References:

https://mina.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-35887
https://issues.apache.org/jira/browse/SSHD-1324


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@mina.apache.org
For additional commands, e-mail: users-h...@mina.apache.org

CVE-2023-35887: Apache MINA SSHD: Information disclosure bugs with RootedFilesystem

Reply via email to