Home > Vulnerability Database > CVE-2024-34713

Mend.io Vulnerability Database

CVE-2024-34713

Good to know:

Date: May 14, 2024

sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3, any user authorized to connect to a ssh server using "sshproxy" can inject options to the "ssh" command executed by "sshproxy". All versions of "sshproxy" are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the "force_command" option in "sshproxy.yaml", but it's rarely relevant.

Language: Go

Severity Score

3.5

Related Resources (6)

Url: https://github.com/cea-hpc/sshproxy/commit/3b8bccc874dc4ca2c80c956cad65722abb46f0b9

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-34713

Url: https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580

Url: https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh

Url: https://github.com/cea-hpc/sshproxy

Url: https://www.mend.io/vulnerability-database/CVE-2024-34713

Severity Score

3.5

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

Top Fix

Upgrade Version

Upgrade to version github.com/cea-hpc/sshproxy - v1.6.3

Learn More

CVSS v3.1

Base Score:	3.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-34713

Good to know:

Date: May 14, 2024

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?