Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-r4e4-u4s6-63gc
Vulnerability ID VCID-r4e4-u4s6-63gc
Aliases CVE-2023-35887
GHSA-mjmq-gwgm-5qhm
Summary Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
cvssv3 4.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-35887.json
epss 0.001 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.001 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.001 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.001 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.001 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.001 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.001 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.001 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.001 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.001 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.001 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.00103 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
epss 0.00103 https://api.first.org/data/v1/epss?cve=CVE-2023-35887
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-mjmq-gwgm-5qhm
cvssv3.1 5.0 https://github.com/apache/mina-sshd
generic_textual MODERATE https://github.com/apache/mina-sshd
cvssv3.1 5.0 https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0
generic_textual MODERATE https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0
cvssv3.1 5.0 https://github.com/apache/mina-sshd/commit/a61e93035f06bff8fc622ad94870fb773d48b9f0
generic_textual MODERATE https://github.com/apache/mina-sshd/commit/a61e93035f06bff8fc622ad94870fb773d48b9f0
cvssv3.1 5.0 https://github.com/apache/mina-sshd/commit/c20739b43aab0f7bf2ccad982a6cb37b9d5a8a0b
generic_textual MODERATE https://github.com/apache/mina-sshd/commit/c20739b43aab0f7bf2ccad982a6cb37b9d5a8a0b
cvssv3.1 5.0 https://github.com/apache/mina-sshd/pull/362
generic_textual MODERATE https://github.com/apache/mina-sshd/pull/362
cvssv3.1 5.0 https://issues.apache.org/jira/browse/SSHD-1324
generic_textual MODERATE https://issues.apache.org/jira/browse/SSHD-1324
cvssv3.1 5 https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
cvssv3.1 5.0 https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
generic_textual MODERATE https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
ssvc Track https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
cvssv3.1 5.0 https://nvd.nist.gov/vuln/detail/CVE-2023-35887
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-35887
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-35887.json
https://api.first.org/data/v1/epss?cve=CVE-2023-35887
https://github.com/apache/mina-sshd
https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0
https://github.com/apache/mina-sshd/commit/a61e93035f06bff8fc622ad94870fb773d48b9f0
https://github.com/apache/mina-sshd/commit/c20739b43aab0f7bf2ccad982a6cb37b9d5a8a0b
https://github.com/apache/mina-sshd/pull/362
https://issues.apache.org/jira/browse/SSHD-1324
https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
2240036 https://bugzilla.redhat.com/show_bug.cgi?id=2240036
CVE-2023-35887 https://nvd.nist.gov/vuln/detail/CVE-2023-35887
GHSA-mjmq-gwgm-5qhm https://github.com/advisories/GHSA-mjmq-gwgm-5qhm
RHSA-2024:1192 https://access.redhat.com/errata/RHSA-2024:1192
RHSA-2024:1193 https://access.redhat.com/errata/RHSA-2024:1193
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-35887.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/apache/mina-sshd
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/apache/mina-sshd/commit/a61e93035f06bff8fc622ad94870fb773d48b9f0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/apache/mina-sshd/commit/c20739b43aab0f7bf2ccad982a6cb37b9d5a8a0b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/apache/mina-sshd/pull/362
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://issues.apache.org/jira/browse/SSHD-1324
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-07T19:40:36Z/ Found at https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-35887
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.27787
EPSS Score 0.001
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:51:32.589032+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.sshd/sshd-core/CVE-2023-35887.yml 38.0.0