The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-35887

CVE-2023-35887: Apache MINA SSHD Information Disclosure

CVE-2023-35887 is an information disclosure vulnerability in Apache MINA SSHD that allows authenticated users to detect file existence outside rooted directories. This article covers technical details, affected versions, and mitigation.

Published: February 11, 2026

CVE-2023-35887 Overview

CVE-2023-35887 is a Path Traversal vulnerability affecting Apache MINA SSHD, an open-source Java library used for implementing SSH servers. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, authenticated users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation (..) beyond the root, or involving symlinks.

This information disclosure vulnerability allows attackers to enumerate file system structures outside their authorized directory scope, potentially revealing sensitive information about the server's file system layout.

Critical Impact

Authenticated attackers can bypass the RootedFileSystem sandbox to probe for the existence of files and directories outside their authorized scope, enabling reconnaissance activities that could inform further attacks.

Affected Products

  • Apache SSHD versions 1.0 through 2.9.x
  • SFTP servers using RootedFileSystem configuration
  • Applications built on Apache MINA SSHD with chroot-style file system restrictions

Discovery Timeline

  • 2023-07-10 - CVE CVE-2023-35887 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-35887

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal). The flaw exists in how Apache MINA SSHD handles path resolution within its RootedFileSystem implementation.

When an SFTP server is configured with a RootedFileSystem to sandbox users within a specific directory tree, the path validation logic fails to properly handle certain edge cases. Specifically, paths containing parent directory navigation sequences (..) that traverse beyond the root boundary, or paths involving symbolic links that escape the sandbox, are not adequately validated before certain file existence checks are performed.

While the vulnerability does not allow reading file contents or modifying files outside the sandbox, it does leak boolean information about whether files or directories exist at specified paths. This information leakage can be exploited by authenticated users to map the server's file system structure.

Root Cause

The root cause lies in insufficient path canonicalization and validation within the RootedFileSystem class. When processing SFTP requests that check for file existence (such as SSH_FXP_STAT or SSH_FXP_LSTAT operations), the implementation fails to properly normalize paths and verify they remain within the designated root directory before performing the existence check.

The path resolution algorithm does not consistently apply boundary checks across all code paths, allowing crafted requests with .. sequences or symlink references to probe locations outside the intended sandbox.

Attack Vector

The attack requires network access and valid authentication credentials for the SFTP server. An attacker with legitimate SFTP access can craft requests with path traversal sequences to probe for files outside their authorized directory.

The exploitation flow involves:

  1. Authenticating to the SFTP server with valid credentials
  2. Issuing file status requests with paths containing ../ sequences or symlink references
  3. Analyzing server responses to determine file existence based on error codes or response timing
  4. Building a map of the external file system structure through iterative probing

This vulnerability is exploitable from a network context and requires low attack complexity, though it does require authentication. The impact is limited to confidentiality of file existence information, with no direct impact on integrity or availability.

Detection Methods for CVE-2023-35887

Indicators of Compromise

  • Unusual SFTP request patterns containing multiple .. sequences in file paths
  • SFTP requests attempting to access paths outside user home directories
  • High volume of file status requests (SSH_FXP_STAT, SSH_FXP_LSTAT) from single sessions
  • Log entries showing path resolution errors or permission denials for paths outside sandbox boundaries

Detection Strategies

  • Monitor SFTP server logs for path traversal patterns in client requests
  • Implement alerting on repeated file existence checks targeting system directories (e.g., /etc, /root, /var)
  • Deploy network-based detection rules to identify SSH sessions with suspicious path patterns
  • Use behavioral analysis to detect enumeration activities across SFTP sessions

Monitoring Recommendations

  • Enable verbose logging on Apache MINA SSHD servers to capture full request paths
  • Configure SIEM rules to correlate multiple failed path access attempts from the same user
  • Implement anomaly detection for SFTP session behavior deviating from normal user patterns
  • Review audit logs periodically for signs of file system reconnaissance activities

How to Mitigate CVE-2023-35887

Immediate Actions Required

  • Upgrade Apache MINA SSHD to version 2.10 or later immediately
  • Review SFTP server configurations to identify deployments using RootedFileSystem
  • Audit user access logs for any evidence of path traversal exploitation attempts
  • Consider implementing additional application-level path validation as defense in depth

Patch Information

Users are recommended to upgrade to Apache MINA SSHD version 2.10 or later, which addresses this vulnerability. The fix improves path canonicalization and boundary validation within the RootedFileSystem implementation.

For detailed information about the security fix, refer to the Apache Security Mailing List Thread.

Workarounds

  • If immediate patching is not possible, consider implementing additional network-level access controls to limit SFTP access
  • Deploy application-level firewall rules to filter requests containing obvious path traversal sequences
  • Restrict SFTP access to only necessary users and implement strict authentication controls
  • Consider temporarily disabling SFTP functionality if the service is not critical to operations
  • Implement file system monitoring to detect unusual access patterns to sensitive directories

For production environments, upgrading to the patched version remains the recommended approach rather than relying on workarounds.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechApache Sshd
  • SeverityMEDIUM
  • CVSS Score4.3
  • EPSS Probability0.10%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-22
  • Vendor Resources
  • Apache Security Mailing List Thread
  • Related CVEs
  • CVE-2022-45047: Apache MINA SSHD Deserialization Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English