ssh(1): validation of shell metacharacters in user names supplied on the command-line was performed too late to prevent some situations where they could be expanded from %-tokens in ssh_config. For certain configurations, such as those that use a "%u" token in a "Match exec" block, an attacker who can control the user name passed to ssh(1) could potentially execute arbitrary shell commands.
| Vendor | Product | Versions |
|---|---|---|
| openbsd | openssh | 0, < 10.3 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| ibm | qradar siem | cert_advisory | 90% |
| open source | openssh | cert_advisory | 90% |
Updated description with detailed technical information, changed severity to HIGH, and updated CVSS score to 8.1.
Updated description with new details about shell metacharacter validation and added CWE-20 and new tag 'shell-injection'.
Updated description with significant technical details about the handling of empty principals in certificates and added new tags related to security fixes.
Updated affected versions to include 10.2, changed severity to HIGH, and noted that the vulnerability is actively exploited.
Initial creation
