Lucene search

GoogleOSV:GHSA-F9FQ-VJVH-779P

HistoryFeb 15, 2022 - 1:57 a.m.

Improper Input Validation in vault-ssh-helper

2022-02-1501:57:18

Google

osv.dev

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

29.7%

JSON

HashiCorp vault-ssh-helper (github.com/hashicorp/vault-ssh-helper/helper) up to and including version 0.1.6 incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host’s network interface was located, rather than the specific IP address assigned to that interface. Fixed in 0.2.0.

CPENameOperatorVersion
github.com/hashicorp/vault-ssh-helperlt0.2.0

CPE	Name	Operator	Version
	github.com/hashicorp/vault-ssh-helper	lt	0.2.0

References

github.com/hashicorp/vault-ssh-helper/blob/master/CHANGELOG.md#020-august-19-2020

github.com/hashicorp/vault-ssh-helper/commit/83effd08cbcbe4b993d776bd9b39465cd9e4603f

github.com/hashicorp/vault-ssh-helper/releases

nvd.nist.gov/vuln/detail/CVE-2020-24359

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

29.7%

JSON

Related for OSV:GHSA-F9FQ-VJVH-779P