Is jsch affected by the Terrapin attack? about jsch HOT 9 CLOSED

Hi @BernhardGruen,

Yes it is. We should be able to add support for the new "strict key exchange" OpenSSH added soon to help mitigate.

Thanks,
Jeremy

from jsch.

CVE-2023-48795 is fixed in version 0.2.15 or higher.

from jsch.

Hi @mohanchavata12,

That is a link to the original version of JSch that has been abandoned by the original developer.
The link for this fork of JSch is: https://mvnrepository.com/artifact/com.github.mwiede/jsch.

Thanks,
Jeremy

from jsch.

Hey @norrisjeremy

wow what a fast response - incredible.

Thank you so much for your answer. It seems the corresponding CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795 does not yet mention jsch. Maybe you can add jsch to it after the fix is ready.

from jsch.

Snyk also doesn't recognize 0.2.15 as having fixed this: https://security.snyk.io/vuln/SNYK-JAVA-COMGITHUBMWIEDE-6130900

from jsch.

Snyk also doesn't recognize 0.2.15 as having fixed this: https://security.snyk.io/vuln/SNYK-JAVA-COMGITHUBMWIEDE-6130900

Snyk does not know 0.2.15, latest version in list is 0.2.14

from jsch.

Which versions of the jsch is vulnerable ? No indication of the Terrapin CVE on the component versions here
https://mvnrepository.com/artifact/com.jcraft/jsch

from jsch.

Thank you Jeremy for your quick response. As per the NVD, jsch before 0.2.15 is vulnerable to the Terrapin. There is no clear sign of the CVE 2023-48795 here- https://mvnrepository.com/artifact/com.github.mwiede/jsch or either in the Sync.

from jsch.

Hi @mohanchavata12,

We have no authority over how the https://mvnrepository.com/ is operated.
If this is especially important to you, I would recommend that you attempt to directly contact them.

Thanks,
Jeremy

from jsch.