cbcvebase.
CVE-2020-26301
published 2021-09-20

CVE-2020-26301: ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue…

PriorityP266critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
3.83%
88.8th percentile
ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
mscdexssh2< 1.4.01.4.0
sshssh2>= 0 < 1.4.01.4.0
ssh2_projectssh2< 1.4.01.4.0

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists only on Windows platforms in the ssh2 Node.js library before version 1.4.0; detection should focus on Windows hosts running vulnerable ssh2 versions
  • Flag use of ssh2 npm package versions prior to 1.4.0 on Windows nodes, particularly in OpenShift/NooBaa deployments
  • Monitor noobaa-core-container in Red Hat OpenShift Data Foundation 4 environments for exploitation attempts, as it is a confirmed affected package
  • ·Exploitation is Windows-only; Linux/macOS deployments of ssh2 are not affected by this command injection vector
  • ·The vulnerability is triggered only when a caller passes untrusted input to the specific vulnerable method; safe/trusted input usage is not exploitable

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.