CVE-2025-30474

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://issues.apache.org/jira/browse/VFS-169	Issue Tracking Patch
https://lists.apache.org/thread/w6ztgnbk6ccry3470x191g3xwrpgy6f4	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/03/23/2	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:commons_vfs:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-23 15:15

Updated : 2025-07-14 18:13

NVD link : CVE-2025-30474

Mitre link : CVE-2025-30474

CVE.ORG link : CVE-2025-30474

JSON object : View

Products Affected

apache

commons_vfs

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2025-30474", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.6}]}, "published": "2025-03-23T15:15:14.103", "references": [{"url": "https://issues.apache.org/jira/browse/VFS-169", "tags": ["Issue Tracking", "Patch"], "source": "[email protected]"}, {"url": "https://lists.apache.org/thread/w6ztgnbk6ccry3470x191g3xwrpgy6f4", "tags": ["Mailing List", "Vendor Advisory"], "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/23/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.\n\nThe FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message\nThis issue affects Apache Commons VFS: before 2.10.0.\n\nUsers are recommended to upgrade to version 2.10.0, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n confidencial a un agente no autorizado en Apache Commons VFS. La clase FtpFileObject puede generar una excepci\u00f3n cuando no se encuentra un archivo, revelando la URI original en su mensaje, que puede incluir una contrase\u00f1a. La soluci\u00f3n consiste en ocultar la contrase\u00f1a en el mensaje de excepci\u00f3n. Este problema afecta a Apache Commons VFS anteriores a la versi\u00f3n 2.10.0. Se recomienda actualizar a la versi\u00f3n 2.10.0, que soluciona el problema."}], "lastModified": "2025-07-14T18:13:56.103", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:commons_vfs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4BABF8CF-5800-484E-9B46-701503CA903B", "versionEndExcluding": "2.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}