CVE-2023-35887: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
(updated )
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.
In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover “exists/does not exist” information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.
This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10
References
- github.com/advisories/GHSA-mjmq-gwgm-5qhm
- github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0
- github.com/apache/mina-sshd/commit/a61e93035f06bff8fc622ad94870fb773d48b9f0
- github.com/apache/mina-sshd/pull/362
- issues.apache.org/jira/browse/SSHD-1324
- lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
- nvd.nist.gov/vuln/detail/CVE-2023-35887
Detect and mitigate CVE-2023-35887 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →