Fluid Attacks Database

Description

A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libssh	=0.9.5-1 \|\| =0.9.5-1+deb11u1 \|\| =0.9.6-1 \|\| =0.9.6-2 \|\| =0.9.7-0+deb11u1 \|\| >=0 <0.9.8-0+deb11u1	0.9.8-0+deb11u1
debian 12	libssh	=0.10.5-2 \|\| =0.10.5-3 \|\| =0.10.5-3+hurd.1 \|\| >=0 <0.10.6-0+deb12u1	0.10.6-0+deb12u1
debian 13	libssh	>=0 <0.10.6-1	0.10.6-1
debian 14	libssh	>=0 <0.10.6-1	0.10.6-1
rpm rhel7	libssh	-	-
rpm rhel8	libssh	<0:0.9.6-14.el8	0:0.9.6-14.el8
rpm rhel9	libssh	<0:0.10.4-13.el9	0:0.10.4-13.el9

Aliases

1. CVE-2023-60042. NVD-2023-60043. OSV-DEBIAN-2023-60044. OSV-2023-60045. SECURITY-TRACKER-CVE-2023-6004

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.