search

opensearch-project / opensearch-build

🧰 OpenSearch / OpenSearch-Dashboards Build Systems
Apache License 2.0
135 stars 271 forks source link

CVE-2024-41909 (Medium) detected in sshd-common-2.9.2.jar, sshd-core-2.9.2.jar #4979

Closed mend-for-github-com[bot] closed 1 week ago

mend-for-github-com[bot] commented 2 weeks ago

CVE-2024-41909 - Medium Severity Vulnerability

Vulnerable Libraries - sshd-common-2.9.2.jar, sshd-core-2.9.2.jar

sshd-common-2.9.2.jar

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.sshd/sshd-common/2.9.2/9671e971cf1f05d221c0a86cecc165d88156c8ed/sshd-common-2.9.2.jar

Dependency Hierarchy: - :x: **sshd-common-2.9.2.jar** (Vulnerable Library)

sshd-core-2.9.2.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.sshd/sshd-core/2.9.2/cca012d0214f0540dc00903b8f5f731280ca6dfc/sshd-core-2.9.2.jar

Dependency Hierarchy: - :x: **sshd-core-2.9.2.jar** (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected.

Publish Date: 2024-08-12

URL: CVE-2024-41909

CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/vwf1ot8wx1njyy8n19j5j2tcnjnozt3b

Release Date: 2024-08-12

Fix Resolution: 2.12.0

prudhvigodithi commented 2 weeks ago

Adding @zelinh to please take a look.