Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:44776
HistoryDec 21, 2023 - 9:16 a.m.

Command Injection

2023-12-2109:16:27
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
14
command injection
libssh.so
vulnerability
hostname parameter
proxycommand
proxyjump
exploit
malicious code

4.8 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

libssh.so is vulnerable to Command Injection. The vulnerability is due to insufficient validation of the hostname parameter in the URI parsing process. This allows attackers to use ProxyCommand or the ProxyJump features to exploit and inject malicious code via the unchecked hostname parameter on the client.

4.8 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%