CVE-2023-46446

2023-11-1403:15:09

Debian Security Bug Tracker

security-tracker.debian.org

asyncssh

remote code execution

vulnerability

unix

rogue session attack

packet injection

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

36.6%

JSON

An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a “Rogue Session Attack.”

OSVersionArchitecturePackageVersionFilename
Debian12allpython-asyncssh<= 2.10.1-2+deb12u1python-asyncssh_2.10.1-2+deb12u1_all.deb
Debian11allpython-asyncssh< 2.5.0-0.1+deb11u1python-asyncssh_2.5.0-0.1+deb11u1_all.deb
Debian999allpython-asyncssh< 2.15.0-1python-asyncssh_2.15.0-1_all.deb
Debian13allpython-asyncssh< 2.15.0-1python-asyncssh_2.15.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	python-asyncssh	<= 2.10.1-2+deb12u1	python-asyncssh_2.10.1-2+deb12u1_all.deb
Debian	11	all	python-asyncssh	< 2.5.0-0.1+deb11u1	python-asyncssh_2.5.0-0.1+deb11u1_all.deb
Debian	999	all	python-asyncssh	< 2.15.0-1	python-asyncssh_2.15.0-1_all.deb
Debian	13	all	python-asyncssh	< 2.15.0-1	python-asyncssh_2.15.0-1_all.deb