GHSA-3936-3gx6-49c4

Source

https://github.com/advisories/GHSA-3936-3gx6-49c4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-3936-3gx6-49c4/GHSA-3936-3gx6-49c4.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-3936-3gx6-49c4

Aliases

CVE-2025-30474

Published

2025-03-23T15:30:33Z

Modified

2025-03-25T03:46:16.985204Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Apache Commons VFS Exposure of Sensitive Information to an Unauthorized Actor

Details

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.

The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

Database specific

{
    "github_reviewed_at": "2025-03-25T03:23:11Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "nvd_published_at": "2025-03-23T15:15:14Z",
    "github_reviewed": true,
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.apache.commons:commons-vfs2

Package

Name: org.apache.commons:commons-vfs2; View open source insights on deps.dev
Purl: pkg:maven/org.apache.commons/commons-vfs2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.10.0

Affected versions

2.*

2.0

2.1

2.2

2.3

2.4

2.4.1

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0