You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
sshproxy vulnerable to SSH option injection
Low severity
GitHub Reviewed
Published
May 14, 2024
in
cea-hpc/sshproxy
•
Updated Jul 8, 2024
Any user authorized to connect to a ssh server using sshproxy can inject options to the ssh command executed by sshproxy.
All versions of sshproxy are impacted.
Patches
The problem is patched starting on version 1.6.3
Workarounds
The only workaround is to use the force_command option in sshproxy.yaml, but it's rarely relevant.
Impact
Any user authorized to connect to a ssh server using
sshproxy
can inject options to thessh
command executed bysshproxy
.All versions of
sshproxy
are impacted.Patches
The problem is patched starting on version 1.6.3
Workarounds
The only workaround is to use the
force_command
option insshproxy.yaml
, but it's rarely relevant.References
References