CVE-2019-1000018

Опубликовано: 04 фев. 2019

Источник: nvd

CVSS3: 7.8

CVSS2: 4.6

EPSS Низкий

Описание

rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission.

Ссылки

http://seclists.org/fulldisclosure/2021/May/78
Mailing List
Not Applicable
Third Party Advisory
https://esnet-security.github.io/vulnerabilities/20190115_rssh
Exploit
Third Party Advisory
https://github.com/WlX-33/PoC-for-CVE/blob/main/CVE-2021-33216%2CCVE-2019-1000018/CommScope%20Ruckus%20IoT%20Controller%201.7.1.0%20Undocumented%20Account.txt
https://lists.debian.org/debian-lts-announce/2019/01/msg00027.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HO3MDU3AH5SLYBKHH5PJ6PHC63ASIF42/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KR2OHTHMJVV4DO3HDRFQQZ5JENHDJQEN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T42YYNWJZG422GATWAHAEK4A24OKY557/
https://security.gentoo.org/glsa/202007-29
Third Party Advisory
https://usn.ubuntu.com/3946-1/
Third Party Advisory
https://www.debian.org/security/2019/dsa-4377
Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/78
Mailing List
Not Applicable
Third Party Advisory
https://esnet-security.github.io/vulnerabilities/20190115_rssh
Exploit
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/01/msg00027.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HO3MDU3AH5SLYBKHH5PJ6PHC63ASIF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KR2OHTHMJVV4DO3HDRFQQZ5JENHDJQEN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T42YYNWJZG422GATWAHAEK4A24OKY557/
https://security.gentoo.org/glsa/202007-29
Third Party Advisory
https://usn.ubuntu.com/3946-1/
Third Party Advisory
https://www.debian.org/security/2019/dsa-4377
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pizzashack:rssh:2.3.4:*:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

EPSS

Процентиль: 51%

0.00285

Низкий

7.8 High

CVSS3

4.6 Medium

CVSS2

Дефекты

CWE-77

Связанные уязвимости

CVE-2019-1000018

CVSS3: 7.8

ubuntu

около 7 лет назад

CVE-2019-1000018

CVSS3: 7.8

debian

около 7 лет назад

rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Speci ...

GHSA-w832-4843-q4m8

CVSS3: 7.8

github

больше 3 лет назад

BDU:2019-01279

CVSS3: 7.8

fstec

около 7 лет назад

Уязвимость командной оболочки rssh, связанная с отсутствием мер по очистке входных данных, позволяющая нарушителю выполнить произвольные команды

EPSS

Процентиль: 51%

0.00285

Низкий

7.8 High

CVSS3

4.6 Medium

CVSS2

Дефекты

CWE-77