Arbitrary Command Injection Affecting rssh package, versions <2.3.4-r2


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ALPINE316-RSSH-2843987
  • published22 Jun 2021
  • disclosed4 Feb 2019

Introduced: 4 Feb 2019

CVE-2019-1000018  (opens in a new tab)
CWE-77  (opens in a new tab)

How to fix?

Upgrade Alpine:3.16 rssh to version 2.3.4-r2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream rssh package and not the rssh package as distributed by Alpine. See How to fix? for Alpine:3.16 relevant fixed versions and status.

rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission.

CVSS Scores

version 3.1