CVE-2022-24950

2022-08-1601:15:12

CWE-362

[email protected]

web.nvd.nist.gov

cve-2022-24950

eternal terminal

race condition

ssh

authorization

hijack

bug

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.4%

JSON

A race condition exists in Eternal Terminal prior to version 6.2.0 that allows an authenticated attacker to hijack other users’ SSH authorization socket, enabling the attacker to login to other systems as the targeted users. The bug is in UserTerminalRouter::getInfoForId().

Affected configurations

NVD

Node

eternal_terminal_projecteternal_terminalRange<6.2.0

CPENameOperatorVersion
eternal_terminal_project:eternal_terminaleternal terminal project eternal terminallt6.2.0

CPE	Name	Operator	Version
eternal_terminal_project:eternal_terminal	eternal terminal project eternal terminal	lt	6.2.0

CNA Affected

[
  {
    "vendor": "Jason Gauci",
    "product": "Eternal Terminal",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "6.2.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]