CVE-2024-34713 - Vulnerability Details - OpenCVE

sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3, any user authorized to connect to a ssh server using `sshproxy` can inject options to the `ssh` command executed by `sshproxy`. All versions of `sshproxy` are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the `force_command` option in `sshproxy.yaml`, but it's rarely relevant.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0027.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-1670	sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3, any user authorized to connect to a ssh server using `sshproxy` can inject options to the `ssh` command executed by `sshproxy`. All versions of `sshproxy` are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the `force_command` option in `sshproxy.yaml`, but it's rarely relevant.
Github GHSA	GHSA-jmqp-37m5-49wh	sshproxy vulnerable to SSH option injection

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580
https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-14T14:38:24.770Z

Updated: 2024-08-02T02:59:21.984Z

Reserved: 2024-05-07T13:53:00.133Z

Link: CVE-2024-34713

Vulnrichment

Updated: 2024-08-02T02:59:21.984Z

NVD

Status : Awaiting Analysis

Published: 2024-05-14T16:17:27.147

Modified: 2024-11-21T09:19:14.963

Link: CVE-2024-34713

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-77

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34713", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-07T13:53:00.133Z", "datePublished": "2024-05-14T14:38:24.770Z", "dateUpdated": "2024-08-02T02:59:21.984Z"}, "containers": {"cna": {"title": "sshproxy vulnerable to SSH option injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh"}, {"name": "https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580", "tags": ["x_refsource_MISC"], "url": "https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580"}], "affected": [{"vendor": "cea-hpc", "product": "sshproxy", "versions": [{"version": "< 1.6.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T14:38:24.770Z"}, "descriptions": [{"lang": "en", "value": "sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3, any user authorized to connect to a ssh server using `sshproxy` can inject options to the `ssh` command executed by `sshproxy`. All versions of `sshproxy` are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the `force_command` option in `sshproxy.yaml`, but it's rarely relevant."}], "source": {"advisory": "GHSA-jmqp-37m5-49wh", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "cea-hpc", "product": "sshproxy", "cpes": ["cpe:2.3:a:cea-hpc:sshproxy:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.6.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-14T16:00:37.662228Z", "id": "CVE-2024-34713", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T19:10:51.638Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:21.984Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh"}, {"name": "https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh", "name": "https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580", "name": "https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:21.984Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34713", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-14T16:00:37.662228Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cea-hpc:sshproxy:*:*:*:*:*:*:*:*"], "vendor": "cea-hpc", "product": "sshproxy", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-14T15:55:10.634Z"}}], "cna": {"title": "sshproxy vulnerable to SSH option injection", "source": {"advisory": "GHSA-jmqp-37m5-49wh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "cea-hpc", "product": "sshproxy", "versions": [{"status": "affected", "version": "< 1.6.3"}]}], "references": [{"url": "https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh", "name": "https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580", "name": "https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3, any user authorized to connect to a ssh server using `sshproxy` can inject options to the `ssh` command executed by `sshproxy`. All versions of `sshproxy` are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the `force_command` option in `sshproxy.yaml`, but it's rarely relevant."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T14:38:24.770Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34713", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:59:21.984Z", "dateReserved": "2024-05-07T13:53:00.133Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-14T14:38:24.770Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3, any user authorized to connect to a ssh server using `sshproxy` can inject options to the `ssh` command executed by `sshproxy`. All versions of `sshproxy` are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the `force_command` option in `sshproxy.yaml`, but it's rarely relevant."}, {"lang": "es", "value": "sshproxy se utiliza en una puerta de enlace para representar de forma transparente una conexi\u00f3n SSH de usuario en la puerta de enlace a un host interno a trav\u00e9s de SSH. Antes de la versi\u00f3n 1.6.3, cualquier usuario autorizado para conectarse a un servidor ssh usando `sshproxy` pod\u00eda inyectar opciones al comando `ssh` ejecutado por `sshproxy`. Todas las versiones de `sshproxy` se ven afectadas. El problema se solucion\u00f3 a partir de la versi\u00f3n 1.6.3. La \u00fanica soluci\u00f3n es utilizar la opci\u00f3n `force_command` en `sshproxy.yaml`, pero rara vez es relevante."}], "id": "CVE-2024-34713", "lastModified": "2024-11-21T09:19:14.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-14T16:17:27.147", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580"}, {"source": "security-advisories@github.com", "url": "https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security-advisories@github.com", "type": "Secondary"}]}