CVE-2025-30474

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-30474
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30474.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-30474
Aliases
Related
Published
2025-03-23T15:15:14Z
Modified
2025-04-02T18:00:50Z
Downstream
Summary
[none]
Details

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.

The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

References

Affected packages

Debian:11 / commons-vfs

Package

Name
commons-vfs
Purl
pkg:deb/debian/commons-vfs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / commons-vfs

Package

Name
commons-vfs
Purl
pkg:deb/debian/commons-vfs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / commons-vfs

Package

Name
commons-vfs
Purl
pkg:deb/debian/commons-vfs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}