GHSA-fhw8-8j55-vwgq

Source

https://github.com/advisories/GHSA-fhw8-8j55-vwgq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-fhw8-8j55-vwgq/GHSA-fhw8-8j55-vwgq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fhw8-8j55-vwgq

Aliases

CVE-2022-45047

Published

2022-11-16T12:00:18Z

Modified

2024-02-16T08:13:30.681636Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Unsafe deserialization in Apache MINA SSHD

Details

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

Until version 2.1.0, the code affected by this vulnerability appeared in org.apache.sshd:sshd-core. Version 2.1.0 contains a commit where the code was moved to the package org.apache.sshd:sshd-common, which did not exist until version 2.1.0.

References

Affected packages

Maven / org.apache.sshd:sshd-common

Package

Name: org.apache.sshd:sshd-common; View open source insights on deps.dev
Purl: pkg:maven/org.apache.sshd/sshd-common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.2

Affected versions

2.*

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.5.1

2.6.0

2.7.0

2.8.0

2.9.0

2.9.1

Maven / org.apache.sshd:sshd-core

Package

Name: org.apache.sshd:sshd-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.sshd/sshd-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.2

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.5.0

0.6.0

0.7.0

0.8.0

0.9.0

0.10.0

0.10.1

0.11.0

0.11.0-sshd-314-1

0.12.0

0.13.0

0.14.0

1.*

1.0.0

1.1.0

1.1.1

1.2.0

1.3.0

1.4.0

1.6.0

1.7.0

2.*

2.0.0