cbcvebase.
CVE-2019-1000018
published 2019-02-04

CVE-2019-1000018: rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission…

PriorityP348high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.88%
76.8th percentile
rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission.

Affected

20 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
pizzashackrssh
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2
rsshrssh>= 0 < 2.3.4-r22.3.4-r2

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.