CVE-2020-26301
Command injection in mscdex/ssh2
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.
ssh2 es un módulo cliente y servidor escrito en JavaScript puro para node.js. En ssh2 versiones anteriores a 1.4.0, se presenta una vulnerabilidad de inyección de comandos. El problema sólo se presenta en Windows. Este problema puede conllevar una ejecución de código remota si un cliente de la biblioteca llama al método vulnerable con una entrada no fiable. Esto es corregido en la versión 1.4.0
A flaw was found in nodejs-ssh2. An OS command injection attack on Windows allows an attacker to perform remote code execution and potentially execute arbitrary code. The highest threat from this vulnerability is to confidentiality and integrity.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-10-01 CVE Reserved
- 2021-09-20 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-11-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
https://www.npmjs.com/package/ssh2 | Product |
URL | Date | SRC |
---|---|---|
https://securitylab.github.com/advisories/GHSL-2020-123-mscdex-ssh2 | 2024-08-04 |
URL | Date | SRC |
---|---|---|
https://github.com/mscdex/ssh2/commit/f763271f41320e71d5cbee02ea5bc6a2ded3ca21 | 2021-10-01 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2020-26301 | 2021-11-29 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2006958 | 2021-11-29 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Ssh2 Project Search vendor "Ssh2 Project" | Ssh2 Search vendor "Ssh2 Project" for product "Ssh2" | < 1.4.0 Search vendor "Ssh2 Project" for product "Ssh2" and version " < 1.4.0" | node.js |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|