CVE-2022-45047: Deserialization of Untrusted Data

November 16, 2022 (updated November 21, 2022)

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

References

github.com/advisories/GHSA-fhw8-8j55-vwgq
github.com/apache/mina-sshd/commit/03238d51586f6b3c0bdbb1a23cf16799344d6c32
github.com/apache/mina-sshd/commit/5a8fe830b2a2308a2b24ac8115a391af477f64f5
nvd.nist.gov/vuln/detail/CVE-2022-45047
www.mail-archive.com/dev@mina.apache.org/msg39312.html

Detect and mitigate CVE-2022-45047 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →