CVE-2022-45047

2022-11-1609:15:14

CWE-502

[email protected]

web.nvd.nist.gov

197

cve-2022-45047

apache mina sshd

vulnerability

java deserialization

nvd

security

ssh server

host keys

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.7%

JSON

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

Affected configurations

Vulners

NVD

Node

apachemina_sshdRange≤2.9.1

CPENameOperatorVersion
apache:sshdapache sshdle2.9.1

CPE	Name	Operator	Version
apache:sshd	apache sshd	le	2.9.1

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache MINA SSHD",
    "versions": [
      {
        "version": "unspecified",
        "lessThanOrEqual": "2.9.1",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]