Address CVE-2023-48795 (details are already public) #453
Description
Version
2.11
Bug description
Using Apache SSHD is now causing projects to fail security scanning due to CVE-2023-48795. Appreciate this is a much wider issue than just this project. Details of the vulnerability are already available publicly here:
https://nvd.nist.gov/vuln/detail/CVE-2023-48795#range-10212309
Are there any plans to address this issue? For example by disabling use of the affected extensions unless some explicit configuration is passed, e.g. AllowUnsafeExtensions?
Actual behavior
Using the Apache SSHD libraries causes projects to fail vulnerability scanning. Currently the only option is to use an exclusion for this vulnerability, so it can be exploited if a site is misconfigured.
Expected behavior
Affected extensions are disabled by default so the vulnerability cannot be exploited without explicit configuration. An updated version of SSHD passes security scanning.
Relevant log output
No response
Other information
No response