Affected versions:
- Apache MINA SSHD 1.0 before 2.10
Description:
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in
Apache Software Foundation Apache MINA.
In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem,
logged users may be able to discover "exists/does not exist" information about
items outside the rooted tree via paths including parent navigation ("..")
beyond the root, or involving symlinks.
This issue affects Apache MINA: from 1.0 before 2.10.
Thanks to Andrew Pikler for discovering the issue and helping to fix it.
This issue is being tracked as SSHD-1324
References:
https://mina.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-35887
https://issues.apache.org/jira/browse/SSHD-1324
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
