Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-28113

russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 5.9, indicating it can be exploited remotely over the network but requires specific conditions to be met without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), for affected systems. Impacting 1 product from russh_project organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2023, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2023-03-16T21:15:13.360

Last Modified

2024-11-21T07:54:25.910

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

Weaknesses

Type: Secondary
CWE-20
CWE-358
Type: Primary
CWE-347

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	russh_project	russh	< 0.36.2	Yes
Application	russh_project	russh	0.37.0	Yes
Application	russh_project	russh	0.37.0	Yes

References

https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76 Product ([email protected])
https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81 Product ([email protected])
https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e Patch ([email protected])
https://github.com/warp-tech/russh/releases/tag/v0.36.2 Release Notes ([email protected])
https://github.com/warp-tech/russh/releases/tag/v0.37.1 Release Notes ([email protected])
https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg Exploit, Vendor Advisory ([email protected])
https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76 Product (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81 Product (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/warp-tech/russh/releases/tag/v0.36.2 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/warp-tech/russh/releases/tag/v0.37.1 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg Exploit, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For russh_project's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.