Bug 2240036 (CVE-2023-35887)
| Summary: | CVE-2023-35887 apache-mina-sshd: information exposure in SFTP server implementations | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Chess Hazlett <chazlett> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, alampare, alazarot, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, dsimansk, emingora, fjuma, fmongiar, gjospin, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jmartisk, jnethert, jrokos, kverlaen, lbacciot, lball, lgao, lthon, matzew, max.andersen, michal.skrivanek, mnovotny, mosmerov, mperina, msochure, mstefank, msvehla, nwallace, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rowaters, rruss, rstancel, rsvoboda, sbiarozk, smaestri, sthorger, tom.jenkinson, tqvarnst |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | apache-mina 2.10 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Apache Mina SSHD that could be exploited on certain SFTP servers implemented using the Apache Mina RootedFileSystem. This issue could permit authenticated users to view information outside of their permissions scope.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2240035 | ||
This issue has been addressed in the following products: Red Hat Data Grid 8.4.4 Via RHSA-2023:5396 https://access.redhat.com/errata/RHSA-2023:5396 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:7639 https://access.redhat.com/errata/RHSA-2023:7639 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:7637 https://access.redhat.com/errata/RHSA-2023:7637 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:7638 https://access.redhat.com/errata/RHSA-2023:7638 This issue has been addressed in the following products: EAP 7.4.14 Via RHSA-2023:7641 https://access.redhat.com/errata/RHSA-2023:7641 This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.9 Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2023:7705 https://access.redhat.com/errata/RHSA-2023:7705 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Via RHSA-2024:1193 https://access.redhat.com/errata/RHSA-2024:1193 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Via RHSA-2024:1192 https://access.redhat.com/errata/RHSA-2024:1192 This issue has been addressed in the following products: EAP 8.0.1 Via RHSA-2024:1194 https://access.redhat.com/errata/RHSA-2024:1194 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7 Via RHSA-2023:7641 https://access.redhat.com/errata/RHSA-2023:7641 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10.