CVE-2023-51385

EPSS 14.15%
Veröffentlicht 18.12.2023 19:15:08
Zuletzt bearbeitet 04.11.2025 22:15:56
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 16

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openbsd ≫ Openssh Version < 9.6

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Debian ≫ Debian Linux Version12.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	14.15%	0.941

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html

Third Party Advisory

Mailing List

https://www.debian.org/security/2023/dsa-5586

Third Party Advisory

http://seclists.org/fulldisclosure/2024/Mar/21

https://support.apple.com/kb/HT214084

https://security.gentoo.org/glsa/202312-17

Third Party Advisory

https://www.openssh.com/txt/release-9.6

Release Notes

https://www.openwall.com/lists/oss-security/2023/12/18/2