Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-28113

russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1

Published

2023-03-16T21:15:13.360

Last Modified

2024-11-21T07:54:25.910

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

Weaknesses

Type: Secondary
CWE-20
CWE-358
Type: Primary
CWE-347

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	russh_project	russh	< 0.36.2	Yes
Application	russh_project	russh	0.37.0	Yes
Application	russh_project	russh	0.37.0	Yes

References

https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76 Product ([email protected])
https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81 Product ([email protected])
https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e Patch ([email protected])
https://github.com/warp-tech/russh/releases/tag/v0.36.2 Release Notes ([email protected])
https://github.com/warp-tech/russh/releases/tag/v0.37.1 Release Notes ([email protected])
https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg Exploit, Vendor Advisory ([email protected])
https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76 Product (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81 Product (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/warp-tech/russh/releases/tag/v0.36.2 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/warp-tech/russh/releases/tag/v0.37.1 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg Exploit, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)