Medium severity5.0NVD Advisory· Published Jul 10, 2023· Updated Jun 17, 2026
CVE-2023-35887
CVE-2023-35887
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.
In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.
This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.sshd:sshd-commonMaven | >= 2.1.0, < 2.9.3 | 2.9.3 |
org.apache.sshd:sshd-sftpMaven | >= 1.0.0, < 2.9.3 | 2.9.3 |
org.apache.sshd:sshd-coreMaven | >= 1.0.0, < 2.1.0 | 2.1.0 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/hadoop-fips-3.3.6pkg:maven/org.apache.sshd/sshd-commonpkg:maven/org.apache.sshd/sshd-corepkg:maven/org.apache.sshd/sshd-sftp
< 3.3.6-r21+ 3 more
- (no CPE)range: < 3.3.6-r21
- (no CPE)range: >= 2.1.0, < 2.9.3
- (no CPE)range: >= 1.0.0, < 2.1.0
- (no CPE)range: >= 1.0.0, < 2.9.3
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-mjmq-gwgm-5qhmghsaADVISORY
- lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2nvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-35887ghsaADVISORY
- github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0ghsaWEB
- github.com/apache/mina-sshd/commit/a61e93035f06bff8fc622ad94870fb773d48b9f0ghsaWEB
- github.com/apache/mina-sshd/commit/c20739b43aab0f7bf2ccad982a6cb37b9d5a8a0bghsaWEB
- github.com/apache/mina-sshd/pull/362ghsaWEB
- issues.apache.org/jira/browse/SSHD-1324ghsaWEB
News mentions
0No linked articles in our index yet.