CVE-2020-26301 — OS Command Injection in Ssh2

CWE-78 — OS Command Injection5 documents5 sources

Severity

10.0CRITICALNVD

CNA7.5

EPSS

5.1%

top 10.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mscdex Ssh2 Ssh2 Project Ssh2 SSH Ssh2

Timeline

PublishedSep 20

Latest updateSep 21

Description

ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages3 packages

▶npmssh/ssh2< 1.4.0

▶CVEListV5mscdex/ssh2< 1.4.0

▶NVDssh2_project/ssh2< 1.4.0

Patches

Patch: github.com ↗Patch: securitylab.github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

OS Command Injection in ssh2↗2021-09-21

▶

GHSA

OS Command Injection in ssh2↗2021-09-21

▶

CVEList

Command injection in mscdex/ssh2↗2021-09-20

▶

📋Vendor Advisories

Red Hat

nodejs-ssh2: Command injection by calling vulnerable method with untrusted input↗2021-09-20

▶