Update dependency org.apache.sshd:sshd-core to v2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.apache.sshd:sshd-core (source)	1.4.0 → 2.9.2

---

Unsafe deserialization in Apache MINA SSHD

CVE-2022-45047 / GHSA-fhw8-8j55-vwgq

More information

Details

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

Until version 2.1.0, the code affected by this vulnerability appeared in org.apache.sshd:sshd-core. Version 2.1.0 contains a commit where the code was moved to the package org.apache.sshd:sshd-common, which did not exist until version 2.1.0.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-45047
• https://www.mail-archive.com/dev@mina.apache.org/msg39312.html
• https://github.com/apache/mina-sshd/commit/03238d51586f6b3c0bdbb1a23cf16799344d6c32
• https://github.com/apache/mina-sshd/commit/5a8fe830b2a2308a2b24ac8115a391af477f64f5
• https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0
• https://github.com/advisories/GHSA-fhw8-8j55-vwgq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Apache MINA SSHD information disclosure vulnerability

CVE-2023-35887 / GHSA-mjmq-gwgm-5qhm

More information

Details

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.

In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.

This issue affects Apache MINA: from 1.0 before 2.9.3 Users are recommended to upgrade to 2.9.3

Until version 2.1.0, some of the code affected by this vulnerability appeared in org.apache.sshd:sshd-core. Version 2.1.0 contains a commit where the code was moved to the package org.apache.sshd:sshd-common, which did not exist until version 2.1.0.

Severity

• CVSS Score: 5.0 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-35887
• https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
• https://github.com/apache/mina-sshd/pull/362
• https://github.com/apache/mina-sshd/commit/a61e93035f06bff8fc622ad94870fb773d48b9f0
• https://issues.apache.org/jira/browse/SSHD-1324
• https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0
• https://github.com/apache/mina-sshd/commit/c20739b43aab0f7bf2ccad982a6cb37b9d5a8a0b
• https://github.com/advisories/GHSA-mjmq-gwgm-5qhm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.