Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00065}

epss

{'score': 0.00126}


Mon, 14 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache commons Vfs
CPEs cpe:2.3:a:apache:commons_vfs:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache commons Vfs

Tue, 01 Apr 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 23 Mar 2025 19:45:00 +0000

Type Values Removed Values Added
References

Sun, 23 Mar 2025 14:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Title Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message
Weaknesses CWE-200
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2025-03-23T14:15:51.339Z

Updated: 2025-04-01T18:04:55.401Z

Reserved: 2025-03-22T14:34:44.280Z

Link: CVE-2025-30474

cve-icon Vulnrichment

Updated: 2025-03-23T19:02:51.376Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-23T15:15:14.103

Modified: 2025-07-14T18:13:56.103

Link: CVE-2025-30474

cve-icon Redhat

No data.