Bug 2240036 (CVE-2023-35887) - CVE-2023-35887 apache-mina-sshd: information exposure in SFTP server implementations
Summary: CVE-2023-35887 apache-mina-sshd: information exposure in SFTP server implemen...
Keywords:
Status: NEW
Alias: CVE-2023-35887
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2240035
TreeView+ depends on / blocked
 
Reported: 2023-09-21 12:57 UTC by Chess Hazlett
Modified: 2025-05-06 08:28 UTC (History)
70 users (show)

Fixed In Version: apache-mina 2.10
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5396 0 None None None 2023-09-28 11:55:44 UTC
Red Hat Product Errata RHSA-2023:7637 0 None None None 2023-12-04 17:57:30 UTC
Red Hat Product Errata RHSA-2023:7638 0 None None None 2023-12-04 17:59:14 UTC
Red Hat Product Errata RHSA-2023:7639 0 None None None 2023-12-04 17:56:47 UTC
Red Hat Product Errata RHSA-2023:7641 0 None None None 2023-12-04 18:02:24 UTC
Red Hat Product Errata RHSA-2023:7700 0 None None None 2023-12-07 14:26:50 UTC
Red Hat Product Errata RHSA-2023:7705 0 None None None 2023-12-07 15:32:52 UTC
Red Hat Product Errata RHSA-2024:1192 0 None None None 2024-03-06 15:30:18 UTC
Red Hat Product Errata RHSA-2024:1193 0 None None None 2024-03-06 15:29:46 UTC
Red Hat Product Errata RHSA-2024:1194 0 None None None 2024-03-06 15:38:32 UTC

Description Chess Hazlett 2023-09-21 12:57:46 UTC 
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10.
Comment 5 errata-xmlrpc 2023-09-28 11:55:40 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.4

Via RHSA-2023:5396 https://access.redhat.com/errata/RHSA-2023:5396
Comment 6 errata-xmlrpc 2023-12-04 17:56:43 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:7639 https://access.redhat.com/errata/RHSA-2023:7639
Comment 7 errata-xmlrpc 2023-12-04 17:57:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:7637 https://access.redhat.com/errata/RHSA-2023:7637
Comment 8 errata-xmlrpc 2023-12-04 17:59:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:7638 https://access.redhat.com/errata/RHSA-2023:7638
Comment 9 errata-xmlrpc 2023-12-04 18:02:19 UTC 
This issue has been addressed in the following products:

  EAP 7.4.14

Via RHSA-2023:7641 https://access.redhat.com/errata/RHSA-2023:7641
Comment 11 errata-xmlrpc 2023-12-07 14:26:47 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9

Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700
Comment 12 errata-xmlrpc 2023-12-07 15:32:49 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2023:7705 https://access.redhat.com/errata/RHSA-2023:7705
Comment 13 errata-xmlrpc 2024-03-06 15:29:41 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2024:1193 https://access.redhat.com/errata/RHSA-2024:1193
Comment 14 errata-xmlrpc 2024-03-06 15:30:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:1192 https://access.redhat.com/errata/RHSA-2024:1192
Comment 15 errata-xmlrpc 2024-03-06 15:38:27 UTC 
This issue has been addressed in the following products:

  EAP 8.0.1

Via RHSA-2024:1194 https://access.redhat.com/errata/RHSA-2024:1194
Note You need to log in before you can comment on or make changes to this bug.