oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-30474: Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message

From: "Gary D. Gregory" <ggregory () apache org>
Date: Sun, 23 Mar 2025 13:30:23 +0000
Severity: moderate

Affected versions:

- Apache Commons VFS before 2.10.0

Description:

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.

The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, 
which may include a password. The fix is to mask the password in the exception message
This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

This issue is being tracked as VFS-169 

Credit:

Marek Ĺ unda (finder)

References:

https://issues.apache.org/jira/browse/VFS-169
https://commons.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-30474
https://issues.apache.org/jira/browse/VFS-169
Previous By Date Next
Previous By Thread Next

Current thread: