CVE-2023-35887: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

July 10, 2023 (updated July 18, 2023)

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.

In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover “exists/does not exist” information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.

This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10

References

github.com/apache/mina-sshd/pull/362
issues.apache.org/jira/browse/SSHD-1324
lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
nvd.nist.gov/vuln/detail/CVE-2023-35887

Detect and mitigate CVE-2023-35887 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →