Apache Commons VFS Password Exposure Vulnerability in FtpFileObject

A vulnerability in Apache Commons VFS in versions prior to 2.10.0 allows for the exposure of sensitive information, specifically passwords, to unauthorized actors. This issue arises in the FtpFileObject class, where a 'FileSystemException' can reveal the original URI, including passwords, when a file is not found. Such error messages may be logged and archived, potentially disclosing passwords to unauthorized individuals.

Impact

The vulnerability could lead to unauthorized access to systems or files by exposing passwords in error messages and logs, which are often collected in monitoring systems.

Reproduction

To reproduce this vulnerability, attempt to access a file on an FTP server using a URI that includes a username and password. If the file is not found, the resulting 'FileSystemException' will expose the password in the error message. This can be verified by checking the application's log files, where the password will be visible.

Remediation

Users are advised to upgrade to Apache Commons VFS version 2.10.0 or later, which addresses this vulnerability by masking passwords in exception messages.