VYPR
Medium severity5.0NVD Advisory· Published Jul 10, 2023· Updated Jun 17, 2026

CVE-2023-35887

CVE-2023-35887

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.

In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.

This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.sshd:sshd-commonMaven
>= 2.1.0, < 2.9.32.9.3
org.apache.sshd:sshd-sftpMaven
>= 1.0.0, < 2.9.32.9.3
org.apache.sshd:sshd-coreMaven
>= 1.0.0, < 2.1.02.1.0

Affected products

5

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.