Lucene search

K
debiancveDebian Security Bug TrackerDEBIANCVE:CVE-2023-51385
HistoryDec 18, 2023 - 7:15 p.m.

CVE-2023-51385

2023-12-1819:15:08
Debian Security Bug Tracker
security-tracker.debian.org
99
cve-2023-51385
ssh
openssh
command injection
user name
host name
shell metacharacters
git
repository
submodule
unix

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.2

Confidence

High

EPSS

0.003

Percentile

67.8%

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.2

Confidence

High

EPSS

0.003

Percentile

67.8%