CVE-2019-1000018
published 2019-02-04CVE-2019-1000018: rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission…
PriorityP348high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.88%
76.8th percentile
rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| pizzashack | rssh | — | — |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
| rssh | rssh | >= 0 < 2.3.4-r2 | 2.3.4-r2 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w832-4843-q4m8: rssh version 2
ghsa_unreviewed·2022-05-13
CVE-2019-1000018 [HIGH] CWE-77 GHSA-w832-4843-q4m8: rssh version 2
rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission.
OSV
CVE-2019-1000018: rssh version 2
osv·2019-02-04·CVSS 7.8
CVE-2019-1000018 [HIGH] CVE-2019-1000018: rssh version 2
rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission.
Ubuntu
rssh vulnerabilities
vendor_ubuntu·2019-04-11
CVE-2019-1000018 rssh vulnerabilities
Title: rssh vulnerabilities
Summary: rssh could be made to run arbitrary commands if it received specially crafted
input.
It was discovered that rssh incorrectly handled certain command-line arguments
and environment variables. An authenticated user could bypass rssh's command
restrictions, allowing an attacker to run arbitrary commands.
Instructions: In general, a standard system update will make all the necessary changes.
No detection rules found.
Bugzilla
CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code execution [epel-all]
bugzilla·2019-01-31·CVSS 7.8
CVE-2019-1000018 [HIGH] CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code execution [epel-all]
CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code execution [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple s
Bugzilla
CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code execution
bugzilla·2019-01-31·CVSS 7.8
CVE-2019-1000018 [HIGH] CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code execution
CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code execution
The allowscp option is intended to restrict users to only being able to scp files to or from the server, and not be able to run commands on the server.
When a user runs scp on their client, an scp command is also run on the server. This runs through rssh (the restricted user’s shell), which attempts to verify the arguments are “secure.” We can control exactly which scp command is run on the server by supplying it as an argument to ssh. If rssh considers our invocation secure, it will execute that command.
References:
https://esnet-security.github.io/vulnerabilities/20190115_rssh\
Upstream issue:
https://sourceforge.net/p/rssh/mailman/message/36519118/
Discussion:
Created rssh tracking bugs for thi
Bugzilla
CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code execution [fedora-all]
bugzilla·2019-01-31·CVSS 7.8
CVE-2019-1000018 [HIGH] CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code execution [fedora-all]
CVE-2019-1000018 rssh: Possible allowscp bypass resulting in arbitrary code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multip
http://seclists.org/fulldisclosure/2021/May/78https://esnet-security.github.io/vulnerabilities/20190115_rsshhttps://github.com/WlX-33/PoC-for-CVE/blob/main/CVE-2021-33216%2CCVE-2019-1000018/CommScope%20Ruckus%20IoT%20Controller%201.7.1.0%20Undocumented%20Account.txthttps://lists.debian.org/debian-lts-announce/2019/01/msg00027.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/HO3MDU3AH5SLYBKHH5PJ6PHC63ASIF42/https://lists.fedoraproject.org/archives/list/[email protected]/message/KR2OHTHMJVV4DO3HDRFQQZ5JENHDJQEN/https://lists.fedoraproject.org/archives/list/[email protected]/message/T42YYNWJZG422GATWAHAEK4A24OKY557/https://security.gentoo.org/glsa/202007-29https://usn.ubuntu.com/3946-1/https://www.debian.org/security/2019/dsa-4377http://seclists.org/fulldisclosure/2021/May/78https://esnet-security.github.io/vulnerabilities/20190115_rsshhttps://lists.debian.org/debian-lts-announce/2019/01/msg00027.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HO3MDU3AH5SLYBKHH5PJ6PHC63ASIF42/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KR2OHTHMJVV4DO3HDRFQQZ5JENHDJQEN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T42YYNWJZG422GATWAHAEK4A24OKY557/https://security.gentoo.org/glsa/202007-29https://usn.ubuntu.com/3946-1/https://www.debian.org/security/2019/dsa-4377
2019-02-04
Published