GHSA-8vq4-8hfp-29xh

Source

https://github.com/advisories/GHSA-8vq4-8hfp-29xh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-8vq4-8hfp-29xh/GHSA-8vq4-8hfp-29xh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8vq4-8hfp-29xh

Aliases

CVE-2024-48460

Published

2025-01-17T00:30:48Z

Modified

2025-01-17T16:44:14.842031Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Eugeny Tabby Sends Password Despite Host Key Verification Failure

Details

An issue in Eugeny Tabby 1.0.213 allows a remote attacker to obtain sensitive information via the server and sends the SSH username and password even when the host key verification fails.

Database specific

{
    "github_reviewed_at": "2025-01-17T16:28:34Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2025-01-16T22:15:39Z",
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

npm / tabby-ssh

Package

Name: tabby-ssh; View open source insights on deps.dev
Purl: pkg:npm/tabby-ssh

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.214