Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.sshd/sshd-common/2.9.2/9671e971cf1f05d221c0a86cecc165d88156c8ed/sshd-common-2.9.2.jar
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.sshd/sshd-core/2.9.2/cca012d0214f0540dc00903b8f5f731280ca6dfc/sshd-core-2.9.2.jar
Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which
some security features have been downgraded or disabled, aka a Terrapin
attack
The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected.
CVE-2024-41909 - Medium Severity Vulnerability
Vulnerable Libraries - sshd-common-2.9.2.jar, sshd-core-2.9.2.jar
sshd-common-2.9.2.jar
Library home page: https://www.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.sshd/sshd-common/2.9.2/9671e971cf1f05d221c0a86cecc165d88156c8ed/sshd-common-2.9.2.jar
Dependency Hierarchy: - :x: **sshd-common-2.9.2.jar** (Vulnerable Library)
sshd-core-2.9.2.jar
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.sshd/sshd-core/2.9.2/cca012d0214f0540dc00903b8f5f731280ca6dfc/sshd-core-2.9.2.jar
Dependency Hierarchy: - :x: **sshd-core-2.9.2.jar** (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected.
Publish Date: 2024-08-12
URL: CVE-2024-41909
CVSS 3 Score Details (5.9)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/vwf1ot8wx1njyy8n19j5j2tcnjnozt3b
Release Date: 2024-08-12
Fix Resolution: 2.12.0