Skip to content

Address CVE-2023-48795 (details are already public) #453

Closed
@martin-traverse

Description

Version

2.11

Bug description

Using Apache SSHD is now causing projects to fail security scanning due to CVE-2023-48795. Appreciate this is a much wider issue than just this project. Details of the vulnerability are already available publicly here:

https://nvd.nist.gov/vuln/detail/CVE-2023-48795#range-10212309

Are there any plans to address this issue? For example by disabling use of the affected extensions unless some explicit configuration is passed, e.g. AllowUnsafeExtensions?

Actual behavior

Using the Apache SSHD libraries causes projects to fail vulnerability scanning. Currently the only option is to use an exclusion for this vulnerability, so it can be exploited if a site is misconfigured.

Expected behavior

Affected extensions are disabled by default so the vulnerability cannot be exploited without explicit configuration. An updated version of SSHD passes security scanning.

Relevant log output

No response

Other information

No response

Metadata

Assignees

No one assigned

    Labels

    duplicateAn issue that is a duplicate of another one.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions