CVE-2022-45047: Deserialization of Untrusted Data

November 16, 2022 (updated February 16, 2024)

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

References

nvd.nist.gov/vuln/detail/CVE-2022-45047
www.mail-archive.com/dev@mina.apache.org/msg39312.html

Code Behaviors & Features

Detect and mitigate CVE-2022-45047 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →