Skip to main content

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2023-35887

Severity Medium
Score 4.3/10

Summary

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA in versions 1.0.0 through 2.9.2.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • LOW
  • LOW
  • NONE

CWE-22 - Path Traversal

Path traversal (or directory traversal), is a vulnerability that allows malicious users to traverse the server's root directory, gaining access to arbitrary files and folders such as application code & data, back-end credentials, and sensitive operating system files. In the worst-case scenario, an attacker could potentially execute arbitrary files on the server, resulting in a denial of service attack. Such an exploit may severely impact the integrity, confidentiality, and availability of an application.

Advisory Timeline

  • Published