GHSA-mjmq-gwgm-5qhm · Severity: medium · Ecosystem: maven — Apache MINA SSHD information disclosure vulnerability
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10
Conclusion & alert: CVE-2023-35887 is rated Moderate Risk (41/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.98%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.10% | 0.98% | +0.88% |
| 2 | 2025-11-21 | 0.84% | 0.10% | -0.74% |
| 3 | 2025-11-18 | — | 0.84% | — |
Full EPSS history (11 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.0 | 3.1 | MEDIUM |
|
3.1 | 1.4 | [email protected] |
| 4.3 | 3.1 | MEDIUM |
|
2.8 | 1.4 | [email protected] |
GHSA-mjmq-gwgm-5qhm · Severity: medium · Ecosystem: maven — Apache MINA SSHD information disclosure vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2023-35887 unimportant priority: Debian including 1 source packages (libmina-sshd-java), 3 status rows across 3 suites (forky, sid, trixie): resolved 3. | https://security-tracker.debian.org/tracker/CVE-2023-35887 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2023-35887 |
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2 | Mailing List Vendor Advisory |