CVE-2024-41909

2024-08-1216:15:15

CWE-354

apache

web.nvd.nist.gov

apache mina sshd

cve-2024-41909

terrapin attack

traffic interception

connection security

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.8

Confidence

Low

EPSS

0.965

Percentile

99.6%

JSON

Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which
some security features have been downgraded or disabled, aka a Terrapin
attack

The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected.

Affected configurations

Nvd

Vulners

Node

apachemina_sshdRange≤2.11.0

VendorProductVersionCPE
apachemina_sshd*cpe:2.3:a:apache:mina_sshd:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	mina_sshd	*	cpe:2.3:a:apache:mina_sshd::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache MINA SSHD",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.11.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]