Sign In

CVE-2023-35887

ADVISORY - github

Summary

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.

In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.

This issue affects Apache MINA: from 1.0 before 2.9.3 Users are recommended to upgrade to 2.9.3

Until version 2.1.0, some of the code affected by this vulnerability appeared in org.apache.sshd:sshd-core. Version 2.1.0 contains a commit where the code was moved to the package org.apache.sshd:sshd-common, which did not exist until version 2.1.0.

EPSS Score: 0.00106 (0.283)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADVISORY - github

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2023-35887
EXPLOITABILITY SCORE

3.1

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

5medium

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-mjmq-gwgm-5qhm
EXPLOITABILITY SCORE

3.1

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-200CWE-22

CVSS SCORE

5medium

Debian

CREATED

UPDATED

ADVISORY IDCVE-2023-35887
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

GitLab

CREATED

UPDATED

ADVISORY ID

CVE-2023-35887

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-22CWE-937

CVSS SCORE

4.3medium

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2023-35887
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

4.3medium

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-fr3h-rgrv-p2gx

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY