CVE-2023-35887: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

July 10, 2023 (updated July 19, 2023)

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.

In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover “exists/does not exist” information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.

This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10

References

github.com/advisories/GHSA-mjmq-gwgm-5qhm
github.com/apache/mina-sshd/commit/a61e93035f06bff8fc622ad94870fb773d48b9f0
github.com/apache/mina-sshd/pull/362
issues.apache.org/jira/browse/SSHD-1324
lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
nvd.nist.gov/vuln/detail/CVE-2023-35887

Code Behaviors & Features

Detect and mitigate CVE-2023-35887 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →