![]() |
|
Message-ID: <6167946a-2516-e021-45a8-f903b72d4508@apache.org> Date: Sun, 23 Mar 2025 13:30:23 +0000 From: "Gary D. Gregory" <ggregory@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2025-30474: Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message Severity: moderate Affected versions: - Apache Commons VFS before 2.10.0 Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue. This issue is being tracked as VFS-169 Credit: Marek Ĺ unda (finder) References: https://issues.apache.org/jira/browse/VFS-169 https://commons.apache.org/ https://www.cve.org/CVERecord?id=CVE-2025-30474 https://issues.apache.org/jira/browse/VFS-169
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.