CVE-2023-51385
published 2023-12-18CVE-2023-51385: In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an…
PriorityP353medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
19.75%
97.1th percentile
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_sonoma | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | openssh | < openssh 1:9.2p1-2+deb12u2 (bookworm) | openssh 1:9.2p1-2+deb12u2 (bookworm) |
| msrc | azl3_openssh_9.5p1-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_openssh_9.7p1-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_openssh_8.9p1-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| openbsd | openssh | < 9.6 | 9.6 |
| openbsd | openssh | >= 0 < 1:8.4p1-5+deb11u3 | 1:8.4p1-5+deb11u3 |
| openbsd | openssh | >= 0 < 1:9.2p1-2+deb12u2 | 1:9.2p1-2+deb12u2 |
| openbsd | openssh | >= 0 < 1:9.6p1-1 | 1:9.6p1-1 |
| openbsd | openssh | >= 0 < 1:9.6p1-1 | 1:9.6p1-1 |
| openbsd | openssh | >= 0 < 1:8.2p1-4ubuntu0.11 | 1:8.2p1-4ubuntu0.11 |
| openbsd | openssh | >= 0 < 1:8.9p1-3ubuntu0.6 | 1:8.9p1-3ubuntu0.6 |
| openbsd | openssh | >= 0 < 1:7.2p2-4ubuntu2.10+esm5 | 1:7.2p2-4ubuntu2.10+esm5 |
| openbsd | openssh | >= 0 < 1:7.6p1-4ubuntu0.7+esm3 | 1:7.6p1-4ubuntu0.7+esm3 |
| paloalto | pan-os | — | — |
| paloalto | prisma_sd | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
osv7.0HIGH
vendor_ubuntu7.0HIGH
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SIMATIC S7-1500 CPU Family
cisa_ics·2025-06-12
Siemens SIMATIC S7-1500 CPU Family
ICS Advisory
##
Siemens SIMATIC S7-1500 CPU Family
Release DateJune 12, 2025
Alert CodeICSA-25-162-05
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC S7-1500 CPU family
- Vulnerabilities: Missing Encryption of Sensitive Data, Out-of-bounds Read, Use After Free, Stack-
CISA ICS
Siemens SCALANCE W700
cisa_ics·2025-02-13
Siemens SCALANCE W700
ICS Advisory
##
Siemens SCALANCE W700
Release DateFebruary 13, 2025
Alert CodeICSA-25-044-09
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE W700
- Vulnerabilities: Double Free, Improper Restriction of Communication Channel to Intended Endpoints, Improper Resource Sh
Ubuntu
OpenSSH vulnerability
vendor_ubuntu·2024-09-16
CVE-2023-51385 OpenSSH vulnerability
Title: OpenSSH vulnerability
Summary: OpenSSH could be made to crash or run programs as your login
if it received a specially crafted input.
USN-6560-2 fixed a vulnerability in OpenSSH. This update provides
the corresponding update for Ubuntu 16.04 LTS.
Original advisory details:
It was discovered that OpenSSH incorrectly handled user names or host
names with shell metacharacters. An attacker could possibly use this
issue to perform OS command injection.
Instructions: In general, a standard system update will make all the necessary changes.
Palo Alto
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2024-04-05·CVSS 4.3
CVE-2007-2768 [MEDIUM] PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2007-2768, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-20012, CVE-2016-8858, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111, CVE-2020-12062, CVE-2021-41617, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-28531, CVE-2023-38408, CVE-2023-51384, CVE-2023-51385, CVE-2023-51767
Affected products: Prisma SD
Apple
CVE-2023-51385: macOS Sonoma 14.4
vendor_apple·2024-03-07·CVSS 6.5
CVE-2023-51385 [MEDIUM] CVE-2023-51385: macOS Sonoma 14.4
Apple Security Update: About the security content of macOS Sonoma 14.4
Product: macOS Sonoma
Version: 14.4
CVE: CVE-2023-51385
Component: CVE-2023-51385
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-02-14·CVSS 9.8
CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-19911, CVE-2020-0404, CVE-2020-0431, CVE-2020-0466, CVE-2020-10379, CVE-2020-11538, CVE-2020-11608, CVE-2020-12114, CVE-2020-12321, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-13757, CVE-2020-14314, CVE-2020-14351, CVE-2020-15778, CVE-2020-1967, CVE-2020-24394, CVE-2020-24504, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25717, CVE-2020-26541, CVE-2020-2715
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2024-01-11·CVSS 5.9
CVE-2023-48795 [MEDIUM] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
USN-6560-1 fixed several vulnerabilities in OpenSSH. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSH
protocol was vulnerable to a prefix truncation attack. If a remote attacker
was able to intercept SSH communications, extension negotiation messages
could be truncated, possibly leading to certain algorithms and features
being downgraded. This issue is known as the Terrapin attack. This update
adds protocol extensions to mitigate this issue. (CVE-2023-48795)
It was discovered that OpenSSH incorrectly handled user names or host names
with shell metacharacters. An at
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2024-01-03·CVSS 7.0
CVE-2021-41617 [HIGH] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
It was discovered that OpenSSH incorrectly handled supplemental groups when
running helper programs for AuthorizedKeysCommand and
AuthorizedPrincipalsCommand as a different user. An attacker could possibly
use this issue to escalate privileges. This issue only affected Ubuntu
20.04 LTS. (CVE-2021-41617)
It was discovered that OpenSSH incorrectly added destination constraints
when PKCS#11 token keys were added to ssh-agent, contrary to expectations.
This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04.
(CVE-2023-51384)
It was discovered that OpenSSH incorrectly handled user names or host names
with shell metacharacters. An attacker could possibly use this issue to
perform OS command injection.
Red Hat
openssh: potential command injection via shell metacharacters
vendor_redhat·2023-12-18·CVSS 6.5
CVE-2023-51385 [MEDIUM] CWE-78 openssh: potential command injection via shell metacharacters
openssh: potential command injection via shell metacharacters
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
A flaw was found in OpenSSH. In certain circumstances, a remote attacker may be able to execute arbitrary OS commands by using expansion tokens, such as %u or %h, with user names or host names that contain shell metacharacters.
Statement: The ability to execute OS commands is dependent on what quoting is present in the user-supplied ssh_config directive. However, it is generally the user's responsibility to validate argument
Microsoft
In ssh in OpenSSH before 9.6 OS command injection might occur if a user name or host name has shell metacharacters and this name is referenced by an expansion token in certain situations. For example
vendor_msrc·2023-12-12·CVSS 6.5
CVE-2023-51385 [MEDIUM] CWE-78 In ssh in OpenSSH before 9.6 OS command injection might occur if a user name or host name has shell metacharacters and this name is referenced by an expansion token in certain situations. For example
In ssh in OpenSSH before 9.6 OS command injection might occur if a user name or host name has shell metacharacters and this name is referenced by an expansion token in certain situations. For example an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See
Debian
CVE-2023-51385: openssh - In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or...
vendor_debian·2023·CVSS 6.5
CVE-2023-51385 [MEDIUM] CVE-2023-51385: openssh - In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or...
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
Scope: local
bookworm: resolved (fixed in 1:9.2p1-2+deb12u2)
bullseye: resolved (fixed in 1:8.4p1-5+deb11u3)
forky: resolved (fixed in 1:9.6p1-1)
sid: resolved (fixed in 1:9.6p1-1)
trixie: resolved (fixed in 1:9.6p1-1)
OSV
openssh vulnerabilities
osv·2024-01-11·CVSS 5.9
[MEDIUM] openssh vulnerabilities
openssh vulnerabilities
USN-6560-1 fixed several vulnerabilities in OpenSSH. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSH
protocol was vulnerable to a prefix truncation attack. If a remote attacker
was able to intercept SSH communications, extension negotiation messages
could be truncated, possibly leading to certain algorithms and features
being downgraded. This issue is known as the Terrapin attack. This update
adds protocol extensions to mitigate this issue. (CVE-2023-48795)
It was discovered that OpenSSH incorrectly handled user names or host names
with shell metacharacters. An attacker could possibly use this issue to
perform OS command injec
OSV
openssh vulnerabilities
osv·2024-01-03·CVSS 7.0
CVE-2021-41617 [HIGH] openssh vulnerabilities
openssh vulnerabilities
It was discovered that OpenSSH incorrectly handled supplemental groups when
running helper programs for AuthorizedKeysCommand and
AuthorizedPrincipalsCommand as a different user. An attacker could possibly
use this issue to escalate privileges. This issue only affected Ubuntu
20.04 LTS. (CVE-2021-41617)
It was discovered that OpenSSH incorrectly added destination constraints
when PKCS#11 token keys were added to ssh-agent, contrary to expectations.
This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04.
(CVE-2023-51384)
It was discovered that OpenSSH incorrectly handled user names or host names
with shell metacharacters. An attacker could possibly use this issue to
perform OS command injection. (CVE-2023-51385)
GHSA
GHSA-5mq4-x9g5-4vc4: In ssh in OpenSSH before 9
ghsa_unreviewed·2023-12-18
CVE-2023-51385 [CRITICAL] CWE-78 GHSA-5mq4-x9g5-4vc4: In ssh in OpenSSH before 9
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
OSV
CVE-2023-51385: In ssh in OpenSSH before 9
osv·2023-12-18·CVSS 6.5
CVE-2023-51385 [MEDIUM] CVE-2023-51385: In ssh in OpenSSH before 9
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
No detection rules found.
No public exploits indexed.
Securelist
Exploits and vulnerabilities in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Exploits and vulnerabilities in Q3 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most prevalent exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-47177 (CUPS filters)
CVE-2024-38112 (MSHTML Spoofing)
CVE-2024-6387 (regreSSHion)
CVE-2024-3183 (Free IPA)
CVE-2024-45519 (Zimbra)
CVE-2024-5290 (Ubuntu wpa_supplicant)
Conclusion and advice
Authors
Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Co
Securelist
Analyzing the vulnerability landscape in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Analyzing the vulnerability landscape in Q3 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- CVE-2024-47177 (CUPS filters)
- CVE-2024-38112 (MSHTML Spoofing)
- CVE-2024-6387 (regreSSHion)
- CVE-2024-3183 (Free IPA)
- CVE-2024-45519 (Zimbra)
- CVE-2024-5290 (Ubuntu wpa_supplicant)
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Common Log Filing System (CLFS) in Windows, so the number
Huntress
CVE-2024-6387 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 6.5
CVE-2024-6387 [MEDIUM] CVE-2024-6387 Vulnerability: Analysis, Impact, Mitigation | Huntress
## CVE-2024-6387 Vulnerability
Published: 11/07/2025
Written by: Monica Burgess
CVE-2024-6387, also known as "Regresshion," is a critical remote code execution (RCE) vulnerability affecting specific versions of OpenSSH, the widely used tool for secure remote login. This flaw allows an unauthenticated attacker to execute arbitrary commands on a vulnerable server, potentially leading to a complete system compromise. Time to check those SSH versions.
## What is CVE-2024-6387 Vulnerability?
The CVE-2024-6387 vulnerability is a critical remote code execution flaw discovered in OpenSSH server (sshd). The issue stems from a regression introduced in OpenSSH version 9.7, which mishandles shell metacharacters in usernames during the login process. An unauthenticated attacker can exploit this by
Huntress
CVE-2023-51385 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 6.5
CVE-2023-51385 [MEDIUM] CVE-2023-51385 Vulnerability: Analysis, Impact, Mitigation | Huntress
## CVE-2023-51385 Vulnerability
Published: 11/07/2025
Written by: Monica Burgess
CVE-2023-51385 is a command injection vulnerability in OpenSSH's proxy command feature. An attacker could exploit this flaw by tricking a user or an automated process into connecting to a malicious server with a specially crafted hostname. This could allow the attacker to execute arbitrary commands on the client's machine, posing a significant security risk.
Alright, let's talk about a tricky one. CVE-2023-51385 is a remote code execution (RCE) vulnerability found in OpenSSH, one of the most widely used tools for secure remote connections. Specifically, the flaw exists in how some versions of the SSH client handle hostnames when using the ProxyCommand option. An attacker can craft a malicious hostname that
Bugzilla
CVE-2023-51385 openssh: potential command injection via shell metacharacters
bugzilla·2023-12-19·CVSS 6.5
CVE-2023-51385 [MEDIUM] CVE-2023-51385 openssh: potential command injection via shell metacharacters
CVE-2023-51385 openssh: potential command injection via shell metacharacters
Summary:
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations.
Description:
If an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive.
This situation could arise in the case of git submodules, where a repository could
http://seclists.org/fulldisclosure/2024/Mar/21http://www.openwall.com/lists/oss-security/2023/12/26/4https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1ahttps://lists.debian.org/debian-lts-announce/2023/12/msg00017.htmlhttps://security.gentoo.org/glsa/202312-17https://security.netapp.com/advisory/ntap-20240105-0005/https://support.apple.com/kb/HT214084https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.htmlhttps://www.debian.org/security/2023/dsa-5586https://www.openssh.com/txt/release-9.6https://www.openwall.com/lists/oss-security/2023/12/18/2http://seclists.org/fulldisclosure/2024/Mar/21http://www.openwall.com/lists/oss-security/2023/12/26/4http://www.openwall.com/lists/oss-security/2025/10/07/1http://www.openwall.com/lists/oss-security/2025/10/12/1https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1ahttps://lists.debian.org/debian-lts-announce/2023/12/msg00017.htmlhttps://security.gentoo.org/glsa/202312-17https://security.netapp.com/advisory/ntap-20240105-0005/https://support.apple.com/kb/HT214084https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.htmlhttps://www.debian.org/security/2023/dsa-5586https://www.openssh.com/txt/release-9.6https://www.openwall.com/lists/oss-security/2023/12/18/2https://cert-portal.siemens.com/productcert/html/ssa-082556.htmlhttps://cert-portal.siemens.com/productcert/html/ssa-769027.htmlhttps://cert-portal.siemens.com/productcert/html/ssa-794697.html
2023-12-18
Published