GHSA-fhw8-8j55-vwgq

Suggest an improvement
Source
https://github.com/advisories/GHSA-fhw8-8j55-vwgq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-fhw8-8j55-vwgq/GHSA-fhw8-8j55-vwgq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fhw8-8j55-vwgq
Aliases
Published
2022-11-16T12:00:18Z
Modified
2023-11-01T05:00:20.410037Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Unsafe deserialization in Apache MINA SSHD
Details

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

Until version 2.1.0, the code affected by this vulnerability appeared in org.apache.sshd:sshd-core. Version 2.1.0 contains a commit where the code was moved to the package org.apache.sshd:sshd-common, which did not exist until version 2.1.0.

References

Affected packages

Maven / org.apache.sshd:sshd-common

Package

Name
org.apache.sshd:sshd-common
View open source insights on deps.dev
Purl
pkg:maven/org.apache.sshd/sshd-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.2

Affected versions

2.*

2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.5.1
2.6.0
2.7.0
2.8.0
2.9.0
2.9.1

Maven / org.apache.sshd:sshd-core

Package

Name
org.apache.sshd:sshd-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.sshd/sshd-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.2

Affected versions

0.*

0.1.0
0.2.0
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.8.0
0.9.0
0.10.0
0.10.1
0.11.0
0.11.0-sshd-314-1
0.12.0
0.13.0
0.14.0

1.*

1.0.0
1.1.0
1.1.1
1.2.0
1.3.0
1.4.0
1.6.0
1.7.0

2.*

2.0.0
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.5.1
2.6.0
2.7.0
2.8.0
2.9.0
2.9.1

Database specific

{
    "last_known_affected_version_range": "< 2.1.0"
}