GHSA-mjmq-gwgm-5qhm

Suggest an improvement
Source
https://github.com/advisories/GHSA-mjmq-gwgm-5qhm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-mjmq-gwgm-5qhm/GHSA-mjmq-gwgm-5qhm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mjmq-gwgm-5qhm
Aliases
Published
2023-07-10T18:30:49Z
Modified
2023-12-07T18:30:50.199235Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
Summary
Apache MINA SSHD information disclosure vulnerability
Details

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.

In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.

This issue affects Apache MINA: from 1.0 before 2.9.3 Users are recommended to upgrade to 2.9.3

Until version 2.1.0, some of the code affected by this vulnerability appeared in org.apache.sshd:sshd-core. Version 2.1.0 contains a commit where the code was moved to the package org.apache.sshd:sshd-common, which did not exist until version 2.1.0.

References

Affected packages

Maven / org.apache.sshd:sshd-common

Package

Name
org.apache.sshd:sshd-common
View open source insights on deps.dev
Purl
pkg:maven/org.apache.sshd/sshd-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.9.3

Affected versions

2.*

2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.5.1
2.6.0
2.7.0
2.8.0
2.9.0
2.9.1
2.9.2

Maven / org.apache.sshd:sshd-sftp

Package

Name
org.apache.sshd:sshd-sftp
View open source insights on deps.dev
Purl
pkg:maven/org.apache.sshd/sshd-sftp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
2.9.3

Affected versions

2.*

2.0.0
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.5.1
2.6.0
2.7.0
2.8.0
2.9.0
2.9.1
2.9.2

Maven / org.apache.sshd:sshd-core

Package

Name
org.apache.sshd:sshd-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.sshd/sshd-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
2.1.0

Affected versions

1.*

1.0.0
1.1.0
1.1.1
1.2.0
1.3.0
1.4.0
1.6.0
1.7.0

2.*

2.0.0