{ "threat_severity" : "Moderate", "public_date" : "2023-07-10T00:00:00Z", "bugzilla" : { "description" : "apache-mina-sshd: information exposure in SFTP server implementations", "id" : "2240036", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2240036" }, "cvss3" : { "cvss3_base_score" : "4.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-22", "details" : [ "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.\nIn SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover \"exists/does not exist\" information about items outside the rooted tree via paths including parent navigation (\"..\") beyond the root, or involving symlinks.\nThis issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10", "A flaw was found in Apache Mina SSHD that could be exploited on certain SFTP servers implemented using the Apache Mina RootedFileSystem. This issue could permit authenticated users to view information outside of their permissions scope." ], "affected_release" : [ { "product_name" : "EAP 8.0.1", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1194", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package" : "sshd-common", "impact" : "low" }, { "product_name" : "Red Hat build of Quarkus 2.13.9.Final", "release_date" : "2023-12-07T00:00:00Z", "advisory" : "RHSA-2023:7700", "cpe" : "cpe:/a:redhat:quarkus:2.13::el8", "package" : "org.apache.sshd/sshd-common:2.10.0.redhat-00002" }, { "product_name" : "Red Hat Data Grid 8.4.4", "release_date" : "2023-09-28T00:00:00Z", "advisory" : "RHSA-2023:5396", "cpe" : "cpe:/a:redhat:jboss_data_grid:8", "package" : "apache-mina" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2023-12-04T00:00:00Z", "advisory" : "RHSA-2023:7641", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "sshd-common" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2023-12-04T00:00:00Z", "advisory" : "RHSA-2023:7638", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-undertow-0:2.2.28-1.SP1_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2023-12-04T00:00:00Z", "advisory" : "RHSA-2023:7638", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-wildfly-0:7.4.14-5.GA_redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date" : "2023-12-04T00:00:00Z", "advisory" : "RHSA-2023:7639", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package" : "eap7-undertow-0:2.2.28-1.SP1_redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date" : "2023-12-04T00:00:00Z", "advisory" : "RHSA-2023:7639", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package" : "eap7-wildfly-0:7.4.14-5.GA_redhat_00002.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2023-12-04T00:00:00Z", "advisory" : "RHSA-2023:7637", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-undertow-0:2.2.28-1.SP1_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2023-12-04T00:00:00Z", "advisory" : "RHSA-2023:7637", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-wildfly-0:7.4.14-5.GA_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1192", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-apache-sshd-0:2.12.0-1.redhat_00001.1.el8eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1192", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-eclipse-jgit-0:6.6.1.202309021850-1.r_redhat_00001.1.el8eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1192", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-log4j-0:2.19.0-2.redhat_00001.1.el8eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1192", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-lucene-solr-0:8.11.2-2.redhat_00001.1.el8eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1192", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-parsson-0:1.1.5-1.redhat_00001.1.el8eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1192", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-wildfly-0:8.0.1-3.GA_redhat_00002.1.el8eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1193", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-apache-sshd-0:2.12.0-1.redhat_00001.1.el9eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1193", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-eclipse-jgit-0:6.6.1.202309021850-1.r_redhat_00001.1.el9eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1193", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-log4j-0:2.19.0-2.redhat_00001.1.el9eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1193", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-lucene-solr-0:8.11.2-2.redhat_00001.1.el9eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1193", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-parsson-0:1.1.5-1.redhat_00001.1.el9eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1193", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-wildfly-0:8.0.1-3.GA_redhat_00002.1.el9eap", "impact" : "low" } ], "package_state" : [ { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Out of support scope", "package_name" : "sshd-common", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "sshd-common", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "sshd-common", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel Quarkus 2", "fix_state" : "Affected", "package_name" : "sshd-common", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "sshd-common", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Out of support scope", "package_name" : "sshd-common", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "sshd-common", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "sshd-common", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Not affected", "package_name" : "sshd-common", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Out of support scope", "package_name" : "sshd-common", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-35887\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-35887" ], "name" : "CVE-2023-35887", "csaw" : false }