Описание
ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.
A flaw was found in nodejs-ssh2. An OS command injection attack on Windows allows an attacker to perform remote code execution and potentially execute arbitrary code. The highest threat from this vulnerability is to confidentiality and integrity.
Отчет
This issue affects ssh2 as shipped with all versions of Red Hat Openshift Container Storage and Red Hat Openshift Data Foundations. However, this flaw requires a Windows based attack, and therefore, the impact is adjusted accordingly to a moderate risk.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Openshift Data Foundation 4 | noobaa-core-container | Affected | ||
| Red Hat OpenShift Container Storage 4.8.0 on RHEL-8 | ocs4/cephcsi-rhel8 | Fixed | RHSA-2021:4845 | 29.11.2021 |
| Red Hat OpenShift Container Storage 4.8.0 on RHEL-8 | ocs4/mcg-core-rhel8 | Fixed | RHSA-2021:4845 | 29.11.2021 |
| Red Hat OpenShift Container Storage 4.8.0 on RHEL-8 | ocs4/mcg-rhel8-operator | Fixed | RHSA-2021:4845 | 29.11.2021 |
| Red Hat OpenShift Container Storage 4.8.0 on RHEL-8 | ocs4/ocs-must-gather-rhel8 | Fixed | RHSA-2021:4845 | 29.11.2021 |
| Red Hat OpenShift Container Storage 4.8.0 on RHEL-8 | ocs4/ocs-operator-bundle | Fixed | RHSA-2021:4845 | 29.11.2021 |
| Red Hat OpenShift Container Storage 4.8.0 on RHEL-8 | ocs4/ocs-rhel8-operator | Fixed | RHSA-2021:4845 | 29.11.2021 |
| Red Hat OpenShift Container Storage 4.8.0 on RHEL-8 | ocs4/rook-ceph-rhel8-operator | Fixed | RHSA-2021:4845 | 29.11.2021 |
| Red Hat OpenShift Container Storage 4.8.0 on RHEL-8 | ocs4/volume-replication-rhel8-operator | Fixed | RHSA-2021:4845 | 29.11.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.4 Medium
CVSS3
Связанные уязвимости
ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.
EPSS
5.4 Medium
CVSS3