Описание
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.
In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.
This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10
A flaw was found in Apache Mina SSHD that could be exploited on certain SFTP servers implemented using the Apache Mina RootedFileSystem. This issue could permit authenticated users to view information outside of their permissions scope.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | sshd-common | Out of support scope | ||
| OpenShift Serverless | sshd-common | Will not fix | ||
| Red Hat Fuse 7 | sshd-common | Out of support scope | ||
| Red Hat Integration Camel Quarkus 2 | sshd-common | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | sshd-common | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | sshd-common | Out of support scope | ||
| Red Hat Process Automation 7 | sshd-common | Out of support scope | ||
| Red Hat Single Sign-On 7 | sshd-common | Will not fix | ||
| Red Hat support for Spring Boot | sshd-common | Not affected | ||
| Red Hat Virtualization 4 | sshd-common | Out of support scope |
Показывать по
Дополнительная информация
Статус:
4.3 Medium
CVSS3
Связанные уязвимости
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10
Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...
Apache MINA SSHD information disclosure vulnerability
Уязвимость java-библиотеки для поддержки SSH-протоколов Apache SSHD, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
4.3 Medium
CVSS3