CVE-2023-28113
russh may use insecure Diffie-Hellman keys
Severity Score
5.9
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-03-10 CVE Reserved
- 2023-03-16 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-10-06 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-347: Improper Verification of Cryptographic Signature
- CWE-358: Improperly Implemented Security Check for Standard
CAPEC
References (6)
URL | Date | SRC |
---|---|---|
https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg | 2024-08-02 |
URL | Date | SRC |
---|---|---|
https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e | 2023-03-23 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Russh Project Search vendor "Russh Project" | Russh Search vendor "Russh Project" for product "Russh" | >= 0.34.0 < 0.36.2 Search vendor "Russh Project" for product "Russh" and version " >= 0.34.0 < 0.36.2" | rust |
Affected
| ||||||
Russh Project Search vendor "Russh Project" | Russh Search vendor "Russh Project" for product "Russh" | 0.37.0 Search vendor "Russh Project" for product "Russh" and version "0.37.0" | rust |
Affected
| ||||||
Russh Project Search vendor "Russh Project" | Russh Search vendor "Russh Project" for product "Russh" | 0.37.0 Search vendor "Russh Project" for product "Russh" and version "0.37.0" | beta1, rust |
Affected
|