CVE-2023-35887

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA: from 1.0 before 2.9.3 Users are recommended to upgrade to 2.9.3 Until version 2.1.0, some of the code affected by this vulnerability appeared in org.apache.sshd:sshd-core. Version 2.1.0 contains a [commit](https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0) where the code was moved to the package org.apache.sshd:sshd-common, which did not exist until version 2.1.0.

How to fix CVE-2023-35887

To remediate CVE-2023-35887, upgrade the affected package to a fixed version below.

• —upgrade to 2.9.3 or later
• —upgrade to 2.1.0 or later
• —upgrade to 2.9.3 or later

Is CVE-2023-35887 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 2.1.0, < 2.9.3
• >= 1.0.0, < 2.1.0
• >= 1.0.0, < 2.9.3

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-35887
• PATCHgithub.com/apache/mina-sshd
• WEBgithub.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0
• WEBgithub.com/apache/mina-sshd/commit/a61e93035f06bff8fc622ad94870fb773d48b9f0