Skip to main content

Improper Validation of Integrity Check Value

CVE-2024-41909

Severity Medium
Score 5.9/10

Summary

Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. The mitigation to prevent this type of attack was implemented in Apache MINA SSHD, both client and server side. This issue affects org.apache.sshd:sshd-core package versions prior to 2.12.0. Users are recommended to upgrade to a fixed version. Note that both the client and the server implementation must have mitigation applied against this issue, otherwise the connection may still be affected.

  • HIGH
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-354 - Improper Validation of Integrity Check Value

The software does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

Advisory Timeline

  • Published