CVE-2022-45047

CRITICAL

Apache Sshd < 2.9.1 - Insecure Deserialization

Title source: rule

Description

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

Exploits (1)

nomisec WORKING POC 2 stars

by hktalent · poc

https://github.com/hktalent/CVE-2022-45047

View Code ZIP pw:eip

References (2)

Core 2

Core References

Mailing List

https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240216-0008/

Scores

CVSS v3 9.8

EPSS 0.0570

EPSS Percentile 90.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (4)

apache/sshd < 2.9.1

Apache Software Foundation/Apache MINA SSHD unspecified - 2.9.1

org.apache.sshd/sshd-common 0 - 2.9.2Maven

org.apache.sshd/sshd-core 0 - 2.9.2Maven

Published Nov 16, 2022

Tracked Since Feb 18, 2026