GHSA-jmqp-37m5-49wh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jmqp-37m5-49wh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-jmqp-37m5-49wh/GHSA-jmqp-37m5-49wh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jmqp-37m5-49wh
- Aliases
- Published
- 2024-05-14T20:16:33Z
- Modified
- 2024-06-04T16:56:51.371442Z
- Severity
-
- 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- sshproxy vulnerable to SSH option injection
- Details
-
Impact
Any user authorized to connect to a ssh server using
sshproxycan inject options to thesshcommand executed bysshproxy. All versions ofsshproxyare impacted.Patches
The problem is patched starting on version 1.6.3
Workarounds
The only workaround is to use the
force_commandoption insshproxy.yaml, but it's rarely relevant.References
- Database specific
{ "severity": "LOW", "nvd_published_at": "2024-05-14T16:17:27Z", "github_reviewed_at": "2024-05-14T20:16:33Z", "github_reviewed": true, "cwe_ids": [ "CWE-77" ] }- References
-
- https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh
- https://nvd.nist.gov/vuln/detail/CVE-2024-34713
- https://github.com/cea-hpc/sshproxy/commit/3b8bccc874dc4ca2c80c956cad65722abb46f0b9
- https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580
- https://github.com/cea-hpc/sshproxy
Affected packages
Go / github.com/cea-hpc/sshproxy
Package
- Name
- github.com/cea-hpc/sshproxy
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/cea-hpc/sshproxy