Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.
The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message
This issue affects Apache Commons VFS: before 2.10.0.
Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Metrics
Affected Vendors & Products
References
History
Tue, 15 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
epss
|
Mon, 14 Jul 2025 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache commons Vfs |
|
CPEs | cpe:2.3:a:apache:commons_vfs:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache
Apache commons Vfs |
Tue, 01 Apr 2025 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
Sun, 23 Mar 2025 19:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Sun, 23 Mar 2025 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue. | |
Title | Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message | |
Weaknesses | CWE-200 | |
References |
|

Status: PUBLISHED
Assigner: apache
Published: 2025-03-23T14:15:51.339Z
Updated: 2025-04-01T18:04:55.401Z
Reserved: 2025-03-22T14:34:44.280Z
Link: CVE-2025-30474

Updated: 2025-03-23T19:02:51.376Z

Status : Analyzed
Published: 2025-03-23T15:15:14.103
Modified: 2025-07-14T18:13:56.103
Link: CVE-2025-30474

No data.