{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-51385", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T22:32:09.069Z", "dateReserved": "2023-12-18T00:00:00", "datePublished": "2023-12-18T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-13T21:08:08.727930"}, "descriptions": [{"lang": "en", "value": "In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.openssh.com/txt/release-9.6"}, {"url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"}, {"url": "https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a"}, {"name": "DSA-5586", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5586"}, {"url": "https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html"}, {"name": "[debian-lts-announce] 20231226 [SECURITY] [DLA 3694-1] openssh security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"}, {"name": "[oss-security] 20231226 CVE-2023-51385, CVE-2023-6004: OpenSSH, libssh: Security weakness in ProxyCommand handling", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/12/26/4"}, {"name": "GLSA-202312-17", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202312-17"}, {"url": "https://security.netapp.com/advisory/ntap-20240105-0005/"}, {"url": "https://support.apple.com/kb/HT214084"}, {"name": "20240313 APPLE-SA-03-07-2024-2 macOS Sonoma 14.4", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2024/Mar/21"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:32:09.069Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.openssh.com/txt/release-9.6", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2023/12/18/2", "tags": ["x_transferred"]}, {"url": "https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a", "tags": ["x_transferred"]}, {"name": "DSA-5586", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2023/dsa-5586"}, {"url": "https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20231226 [SECURITY] [DLA 3694-1] openssh security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"}, {"name": "[oss-security] 20231226 CVE-2023-51385, CVE-2023-6004: OpenSSH, libssh: Security weakness in ProxyCommand handling", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/12/26/4"}, {"name": "GLSA-202312-17", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202312-17"}, {"url": "https://security.netapp.com/advisory/ntap-20240105-0005/", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214084", "tags": ["x_transferred"]}, {"name": "20240313 APPLE-SA-03-07-2024-2 macOS Sonoma 14.4", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2024/Mar/21"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "matchCriteriaId": "5308FBBB-F738-41C5-97A4-E40118E957CD", "versionEndExcluding": "9.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name."}, {"lang": "es", "value": "En ssh en OpenSSH anterior a 9.6, la inyecci\u00f3n de comandos del sistema operativo puede ocurrir si un nombre de usuario o nombre de host tiene metacaracteres de shell, y un token de expansi\u00f3n hace referencia a este nombre en ciertas situaciones. Por ejemplo, un repositorio Git que no es de confianza puede tener un subm\u00f3dulo con metacaracteres de shell en un nombre de usuario o nombre de host."}], "id": "CVE-2023-51385", "lastModified": "2024-11-21T08:37:59.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-18T19:15:08.773", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2024/Mar/21"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/12/26/4"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202312-17"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20240105-0005/"}, {"source": "cve@mitre.org", "url": "https://support.apple.com/kb/HT214084"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5586"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.openssh.com/txt/release-9.6"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Release Notes"], "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Mar/21"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/12/26/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202312-17"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240105-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214084"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5586"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.openssh.com/txt/release-9.6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Release Notes"], "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0606", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "openssh-0:8.0p1-19.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2024:0606", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "openssh-0:8.0p1-19.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2024:0429", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "openssh-0:8.0p1-15.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2024:0594", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "openssh-0:8.0p1-19.el8_8.2", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2024:1130", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "openssh-0:8.7p1-34.el9_3.3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-05T00:00:00Z"}, {"advisory": "RHSA-2024:1130", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "openssh-0:8.7p1-34.el9_3.3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-05T00:00:00Z"}, {"advisory": "RHSA-2024:0455", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "openssh-0:8.7p1-30.el9_2.3", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/cephcsi-rhel9:v4.15.0-37", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/mcg-core-rhel9:v4.15.0-68", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/mcg-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/mcg-rhel9-operator:v4.15.0-39", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-client-console-rhel9:v4.15.0-58", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-client-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-client-rhel9-operator:v4.15.0-13", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-metrics-exporter-rhel9:v4.15.0-81", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-rhel9-operator:v4.15.0-79", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-cli-rhel9:v4.15.0-22", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-console-rhel9:v4.15.0-57", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-cosi-sidecar-rhel9:v4.15.0-6", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-csi-addons-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-csi-addons-rhel9-operator:v4.15.0-15", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-csi-addons-sidecar-rhel9:v4.15.0-15", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-multicluster-console-rhel9:v4.15.0-54", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-multicluster-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-multicluster-rhel9-operator:v4.15.0-10", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-must-gather-rhel9:v4.15.0-26", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-rhel9-operator:v4.15.0-19", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odr-cluster-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odr-hub-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odr-rhel9-operator:v4.15.0-21", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/rook-ceph-rhel9-operator:v4.15.0-103", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}], "bugzilla": {"description": "openssh: potential command injection via shell metacharacters", "id": "2255271", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255271"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-78", "details": ["In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.", "A flaw was found in OpenSSH. In certain circumstances, a remote attacker may be able to execute arbitrary OS commands by using expansion tokens, such as %u or %h, with user names or host names that contain shell metacharacters."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-51385", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2023-12-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-51385\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-51385"], "statement": "The ability to execute OS commands is dependent on what quoting is present in the user-supplied ssh_config directive. However, it is generally the user's responsibility to validate arguments passed to SSH.", "threat_severity": "Moderate"}