This repository has been archived by the owner on Oct 25, 2023. It is now read-only.
sshd-core-2.8.0.jar: 2 vulnerabilities (highest severity is: 9.8) #83
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Library home page: https://www.apache.org/
Found in HEAD commit: c737bff522acd627979af76e7bd3a589477f0497
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - sshd-core-2.8.0.jar
Library home page: https://www.apache.org/
Dependency Hierarchy:
Found in HEAD commit: c737bff522acd627979af76e7bd3a589477f0497
Found in base branch: dev
Vulnerability Details
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
Publish Date: 2022-11-16
URL: CVE-2022-45047
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.mail-archive.com/dev@mina.apache.org/msg39312.html
Release Date: 2022-11-16
Fix Resolution: 2.9.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - sshd-core-2.8.0.jar
Library home page: https://www.apache.org/
Dependency Hierarchy:
Found in HEAD commit: c737bff522acd627979af76e7bd3a589477f0497
Found in base branch: dev
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.
In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.
This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10
Publish Date: 2023-07-10
URL: CVE-2023-35887
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
Release Date: 2023-07-10
Fix Resolution: 2.10.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: