Description
sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3, any user authorized to connect to a ssh server using `sshproxy` can inject options to the `ssh` command executed by `sshproxy`. All versions of `sshproxy` are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the `force_command` option in `sshproxy.yaml`, but it's rarely relevant.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2024-1670 | sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3, any user authorized to connect to a ssh server using `sshproxy` can inject options to the `ssh` command executed by `sshproxy`. All versions of `sshproxy` are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the `force_command` option in `sshproxy.yaml`, but it's rarely relevant. |
Github GHSA |
GHSA-jmqp-37m5-49wh | sshproxy vulnerable to SSH option injection |
References
History
No history.
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2024-08-02T02:59:21.984Z
Reserved: 2024-05-07T13:53:00.133Z
Link: CVE-2024-34713
Updated: 2024-08-02T02:59:21.984Z
Status : Deferred
Published: 2024-05-14T16:17:27.147
Modified: 2026-06-17T07:33:55.653
Link: CVE-2024-34713
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
EUVD
Github GHSA