Bug 2250329 (CVE-2023-46446)
Summary: | CVE-2023-46446 python-asyncssh: Rogue Session Attack | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, aoconnor, bniver, flucifre, gmeno, mbenjamin, mhackett, sostapov, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-asyncssh 2.14.1 | Doc Type: | --- |
Doc Text: |
A flaw was found in python-synch before the 2.14.1 versions, where the client can log in to the attacker's account without the client being able to detect this. This flaw allows an attacker to control the remote end of the SSH session completely, resulting in a complete break of the confidentiality and integrity of the secure channel, which could cause more issues depending on the application logic implemented by the AsyncSSH server.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2255432, 2265141, 2250330, 2250331 | ||
Bug Blocks: | 2250320 |
Description
Borja Tarraso
2023-11-17 18:22:46 UTC
Created python-asyncssh tracking bugs for this issue: Affects: epel-8 [bug 2250330] Affects: fedora-all [bug 2250331] |