Address CVE-2023-48795 (details are already public) #453
Labels
duplicate
An issue that is a duplicate of another one.
Comments
|
This is a duplicate of #445. Will be fixed in Apache MINA SSHD 2.12.0, the release is currently in the voting phase, see mail thread. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version
2.11
Bug description
Using Apache SSHD is now causing projects to fail security scanning due to CVE-2023-48795. Appreciate this is a much wider issue than just this project. Details of the vulnerability are already available publicly here:
https://nvd.nist.gov/vuln/detail/CVE-2023-48795#range-10212309
Are there any plans to address this issue? For example by disabling use of the affected extensions unless some explicit configuration is passed, e.g. AllowUnsafeExtensions?
Actual behavior
Using the Apache SSHD libraries causes projects to fail vulnerability scanning. Currently the only option is to use an exclusion for this vulnerability, so it can be exploited if a site is misconfigured.
Expected behavior
Affected extensions are disabled by default so the vulnerability cannot be exploited without explicit configuration. An updated version of SSHD passes security scanning.
Relevant log output
No response
Other information
No response
The text was updated successfully, but these errors were encountered: