CVE-2022-45047

critical

Published 2022-11-16 · Modified 2024-02-16

CVSS v3

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

9.8

Description

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-45047

OS impact

OS	Version	Status	Fixed in
debian	forky	fixed	`0`
debian	sid	fixed	`0`
debian	trixie	fixed	`0`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.apache.sshd:sshd-common	`<2.9.2`	`2.9.2`
Maven	org.apache.sshd:sshd-core	`<2.9.2`	`2.9.2`

Application impact

Vendor	Product	Versions	Fixed
apache	sshd	`{"endIncluding":"2.9.1"}`

References

CWEs

CWE-502

Verify integrity in audit chain (admin only). AS-IS.