Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-41909 (Medium) detected in sshd-common-2.9.2.jar, sshd-core-2.9.2.jar #4979

Closed
1 task
mend-for-github-com bot opened this issue Aug 28, 2024 · 1 comment · Fixed by #4984
Closed
1 task

CVE-2024-41909 (Medium) detected in sshd-common-2.9.2.jar, sshd-core-2.9.2.jar #4979

mend-for-github-com bot opened this issue Aug 28, 2024 · 1 comment · Fixed by #4984
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-for-github-com
Copy link
Contributor

CVE-2024-41909 - Medium Severity Vulnerability

Vulnerable Libraries - sshd-common-2.9.2.jar, sshd-core-2.9.2.jar

sshd-common-2.9.2.jar

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.sshd/sshd-common/2.9.2/9671e971cf1f05d221c0a86cecc165d88156c8ed/sshd-common-2.9.2.jar

Dependency Hierarchy:

  • sshd-common-2.9.2.jar (Vulnerable Library)
sshd-core-2.9.2.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.sshd/sshd-core/2.9.2/cca012d0214f0540dc00903b8f5f731280ca6dfc/sshd-core-2.9.2.jar

Dependency Hierarchy:

  • sshd-core-2.9.2.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which
some security features have been downgraded or disabled, aka a Terrapin
attack

The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected.

Publish Date: 2024-08-12

URL: CVE-2024-41909

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/vwf1ot8wx1njyy8n19j5j2tcnjnozt3b

Release Date: 2024-08-12

Fix Resolution: 2.12.0

  • Check this box to open an automated fix PR
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Aug 28, 2024
@github-actions github-actions bot added the untriaged Issues that have not yet been triaged label Aug 28, 2024
@prudhvigodithi prudhvigodithi removed the untriaged Issues that have not yet been triaged label Aug 29, 2024
@prudhvigodithi
Copy link
Collaborator

Adding @zelinh to please take a look.

@zelinh zelinh mentioned this issue Aug 29, 2024
Merged
@peterzhuamazon peterzhuamazon linked a pull request Sep 3, 2024 that will close this issue
Upgrade library version to fix CVEs #4984
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
Engineering Effectiveness Board
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade library version to fix CVEs zelinh/opensearch-build
1 participant
@prudhvigodithi