AsyncSSH SSH Server Authentication Bypass

The SSH server implementation of AsyncSSH before 1.12.1 does not properly check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step...

GHSA-97CV-6PJF-5F9Q AsyncSSH SSH Server Authentication Bypass

The SSH server implementation of AsyncSSH before 1.12.1 does not properly check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step...

Puppet allows local users to modify the permissions of arbitrary files

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorizedkeys file...

GitHub Git LFS Arbitrary command execution vulnerability

GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a url = line in a .lfsconfig file within a repository. Specific Go Packages Affected github.com/git-lfs/git-lfs/lfsapi...

GHSA-W4XH-W33P-4V29 GitHub Git LFS Arbitrary command execution vulnerability

GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a url = line in a .lfsconfig file within a repository. Specific Go Packages Affected github.com/git-lfs/git-lfs/lfsapi...

Jenkins SSH Agent Plugin exposes SSH private key password to users with permission to read the build log

An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. As of version 1.16, the plugin no longer logs the ssh-add invocation that...

GHSA-WWGX-94V6-FC2P Jenkins SSH Agent Plugin exposes SSH private key password to users with permission to read the build log

An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. As of version 1.16, the plugin no longer logs the ssh-add invocation that...

Ansible Leaks Data Passed to ssh-keygen

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just t...

GHSA-HWRM-63V2-42G4 Ansible Leaks Data Passed to ssh-keygen

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just t...

Dulwich RCE Vulnerability

Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117...

GHSA-CWWH-4382-6FWR Dulwich RCE Vulnerability

Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117...

Jenkins SSH Plugin user passwords for encrypted SSH keys stored in plaintext

The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file...

GHSA-5GMF-8GH2-HHFP Jenkins SSH Plugin user passwords for encrypted SSH keys stored in plaintext

The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file...

com.cloudcoreo.plugins:cloudcoreo-deploytime (>=0.1.0 <=0.2.3), com.github.kostyasha.yet-another-docker:yet-another-docker-plugin (>=0.1.0 <=0.1.3) +7 more potentially affected by CVE-2017-2648 via org.jenkins-ci.plugins:ssh-slaves (>=1.10 <=1.13)

org.jenkins-ci.plugins:ssh-slaves MAVEN version =1.10, =0.1.0, =0.1.0, =1.2.8, =2.0.0, =1.3, =1.2.0, =2.9, =2.11, =2.8, =2.19 Source cves: CVE-2017-2648 Source advisory: OSV:GHSA-X654-4WJH-74Q6...

Jenkins SSH Build Agents Plugin did not verify host keys

It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks...

GHSA-X654-4WJH-74Q6 Jenkins SSH Build Agents Plugin did not verify host keys

It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks...

GHSA-FQW7-C6VR-Q29M openstack-mistral Discloses the presence of arbitrary files within the filesystem

A flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh privatekeyfilename can take an absolute path, it can be used to...

Updated python-twisted packages fix security vulnerability

CVE-2022-21712: It was discovered that Twisted incorrectly filtered HTTP headers when clients are being redirected to another origin. A remote attacker could use this issue to obtain sensitive information. CVE-2022-21716: It was discovered that Twisted incorrectly processed SSH handshake data on...

MGASA-2022-0168 Updated python-twisted packages fix security vulnerability

CVE-2022-21712: It was discovered that Twisted incorrectly filtered HTTP headers when clients are being redirected to another origin. A remote attacker could use this issue to obtain sensitive information. CVE-2022-21716: It was discovered that Twisted incorrectly processed SSH handshake data on...

HP System Management Homepage (SMH) Insight Diagnostics Detection (Linux SSH Login)

SSH login-based detection of HP System Management Homepage SMH Insight Diagnostics. Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This...