CVE-2022-45047

CRITICAL

Apache Sshd < 2.9.1 - Insecure Deserialization

Title source: rule

Description

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

Exploits (1)

nomisec WORKING POC 2 stars

by hktalent · poc

https://github.com/hktalent/CVE-2022-45047

View Code ZIP pw:eip

References (2)

[Mailing List] https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240216-0008/

Scores

CVSS v3 9.8

EPSS 0.0507

EPSS Percentile 89.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (3)

apache/sshd < 2.9.1

org.apache.sshd/sshd-common < 2.9.2Maven

org.apache.sshd/sshd-core < 2.9.2Maven

Timeline

Published Nov 16, 2022

Tracked Since Feb 18, 2026