CVE-2020-26301

Опубликовано: 20 сент. 2021

Источник: nvd

CVSS3: 7.5

CVSS3: 10

CVSS2: 7.5

EPSS Низкий

Описание

ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.

Ссылки

https://github.com/mscdex/ssh2/commit/f763271f41320e71d5cbee02ea5bc6a2ded3ca21
Patch
Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2020-123-mscdex-ssh2/
Exploit
Patch
Third Party Advisory
https://www.npmjs.com/package/ssh2
Product
Third Party Advisory
https://github.com/mscdex/ssh2/commit/f763271f41320e71d5cbee02ea5bc6a2ded3ca21
Patch
Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2020-123-mscdex-ssh2/
Exploit
Patch
Third Party Advisory
https://www.npmjs.com/package/ssh2
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:ssh2_project:ssh2:*:*:*:*:*:node.js:*:*

Версия до 1.4.0 (исключая)

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

EPSS

Процентиль: 90%

0.05066

Низкий

7.5 High

CVSS3

10 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-78

Связанные уязвимости

CVE-2020-26301

CVSS3: 5.4

redhat

больше 4 лет назад

GHSA-652h-xwhf-q4h6

CVSS3: 7.5

github

больше 4 лет назад

OS Command Injection in ssh2

EPSS

Процентиль: 90%

0.05066

Низкий

7.5 High

CVSS3

10 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-78