{"id":"CVE-2023-35887","details":"Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.\n\nIn SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover \"exists/does not exist\" information about items outside the rooted tree via paths including parent navigation (\"..\") beyond the root, or involving symlinks.\n\nThis issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10\n","aliases":["GHSA-mjmq-gwgm-5qhm"],"modified":"2026-03-13T07:38:56.660725Z","published":"2023-07-10T16:15:53.050Z","references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/mina-sshd","events":[{"introduced":"f11c73d4fb7836e8ae8ccb4ed8301dc42c0968ac"},{"fixed":"a377173417abd8d20541d73d97d739d440d895dc"}],"database_specific":{"versions":[{"introduced":"1.0.0"},{"fixed":"2.9.3"}]}}],"versions":["sshd-1.0.0","sshd-1.1.0","sshd-1.2.0","sshd-1.3.0","sshd-1.4.0","sshd-1.5.0","sshd-1.6.0","sshd-1.7.0","sshd-2.0.0","sshd-2.1.0","sshd-2.2.0","sshd-2.3.0","sshd-2.4.0","sshd-2.5.0","sshd-2.5.1","sshd-2.6.0","sshd-2.7.0","sshd-2.8.0","sshd-2.9.0","sshd-2.9.1","sshd-2.9.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-35887.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}