CVE-2023-51385

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.openssh.com/txt/release-9.6	Release Notes
https://www.openwall.com/lists/oss-security/2023/12/18/2	Mailing List Release Notes
https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a	Patch
https://www.debian.org/security/2023/dsa-5586	Third Party Advisory
https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/12/26/4	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202312-17	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240105-0005/

Configurations

Configuration 1 (hide)

cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*
	cpe:2.3:o:debian:debian_linux:12.0:::::::*

Information

Published : 2023-12-18 19:15

Updated : 2024-01-05 18:15

NVD link : CVE-2023-51385

Mitre link : CVE-2023-51385

JSON object : View

Products Affected

openbsd

openssh

debian

debian_linux

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.openssh.com/txt/release-9.6", "name": "https://www.openssh.com/txt/release-9.6", "tags": ["Release Notes"], "refsource": ""}, {"url": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "name": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "tags": ["Mailing List", "Release Notes"], "refsource": ""}, {"url": "https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a", "name": "https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a", "tags": ["Patch"], "refsource": ""}, {"url": "https://www.debian.org/security/2023/dsa-5586", "name": "DSA-5586", "tags": ["Third Party Advisory"], "refsource": ""}, {"url": "https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html", "name": "https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html", "tags": ["Third Party Advisory"], "refsource": ""}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html", "name": "[debian-lts-announce] 20231226 [SECURITY] [DLA 3694-1] openssh security update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": ""}, {"url": "http://www.openwall.com/lists/oss-security/2023/12/26/4", "name": "[oss-security] 20231226 CVE-2023-51385, CVE-2023-6004: OpenSSH, libssh: Security weakness in ProxyCommand handling", "tags": ["Mailing List", "Third Party Advisory"], "refsource": ""}, {"url": "https://security.gentoo.org/glsa/202312-17", "name": "GLSA-202312-17", "tags": ["Third Party Advisory"], "refsource": ""}, {"url": "https://security.netapp.com/advisory/ntap-20240105-0005/", "name": "https://security.netapp.com/advisory/ntap-20240105-0005/", "tags": [], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-78"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-51385", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}}, "publishedDate": "2023-12-18T19:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "9.6"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2024-01-05T18:15Z"}