CVE-2024-34713

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-34713
sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3, any user authorized to connect to a ssh server using `sshproxy` can inject options to the `ssh` command executed by `sshproxy`. All versions of `sshproxy` are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the `force_command` option in `sshproxy.yaml`, but it's rarely relevant.

3.5 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580
https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh
https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580
https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh
Configurations

No configuration.

History

21 Nov 2024, 09:19

Type Values Removed Values Added
References () https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580 - () https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580 -
References () https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh - () https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh -
Summary
  • (es) sshproxy se utiliza en una puerta de enlace para representar de forma transparente una conexión SSH de usuario en la puerta de enlace a un host interno a través de SSH. Antes de la versión 1.6.3, cualquier usuario autorizado para conectarse a un servidor ssh usando `sshproxy` podía inyectar opciones al comando `ssh` ejecutado por `sshproxy`. Todas las versiones de `sshproxy` se ven afectadas. El problema se solucionó a partir de la versión 1.6.3. La única solución es utilizar la opción `force_command` en `sshproxy.yaml`, pero rara vez es relevante.

14 May 2024, 16:17

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-14 16:17

Updated : 2024-11-21 09:19

NVD link : CVE-2024-34713

Mitre link : CVE-2024-34713

CVE.ORG link : CVE-2024-34713

JSON object : View

Products Affected

No product.

CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024