CVE-2022-45047
Unsafe deserialization in Apache MINA SSHD
Description
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. Until version 2.1.0, the code affected by this vulnerability appeared in `org.apache.sshd:sshd-core`. Version 2.1.0 contains a [commit](https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0) where the code was moved to the package `org.apache.sshd:sshd-common`, which did not exist until version 2.1.0.
How to fix CVE-2022-45047
To remediate CVE-2022-45047, upgrade the affected package to a fixed version below.
- —upgrade to 2.9.2 or later
- —upgrade to 2.9.2 or later
Is CVE-2022-45047 being exploited?
Moderate — EPSS is 6.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 2.9.2
- from 0, < 2.9.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |