Home > Vulnerability Database > CVE-2023-28113

Mend.io Vulnerability Database

CVE-2023-28113

Good to know:

Date: March 16, 2023

russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1

Language: RUST

Severity Score

5.9

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-28113

Url: https://github.com/warp-tech/russh/releases/tag/v0.36.2

Url: https://github.com/warp-tech/russh/releases/tag/v0.37.1

Url: https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e

Url: https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg

Url: https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76

Url: https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81

Url: https://www.mend.io/vulnerability-database/CVE-2023-28113

Severity Score

5.9

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

Top Fix

Upgrade Version

Upgrade to version russh - 0.36.2,0.37.1

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-28113

Good to know:

Date: March 16, 2023

Language: RUST

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?