CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
99.6%
Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which
some security features have been downgraded or disabled, aka a Terrapin
attack
The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected.
Vendor | Product | Version | CPE |
---|---|---|---|
org.apache.sshd | sshd-common | * | cpe:2.3:a:org.apache.sshd:sshd-common:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-2326-hx7g-3m9r
github.com/apache/mina-sshd/commit/315739e4e9d1dc7a4ff32ea64936982ed0b73e76
github.com/apache/mina-sshd/commit/6b0fd46f64bcb75eeeee31d65f10242660aad7c1
github.com/apache/mina-sshd/commit/7b2c781640a7a78a9455b86593a1f63c9e8cab92
github.com/apache/mina-sshd/issues/445
github.com/apache/mina-sshd/pull/449
github.com/apache/mina-sshd/releases/tag/sshd-2.12.0
lists.apache.org/thread/vwf1ot8wx1njyy8n19j5j2tcnjnozt3b
nvd.nist.gov/vuln/detail/CVE-2024-41909
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
99.6%