Bug 2006958 (CVE-2020-26301) - CVE-2020-26301 nodejs-ssh2: Command injection by calling vulnerable method with untrusted input
Summary: CVE-2020-26301 nodejs-ssh2: Command injection by calling vulnerable method wi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-26301
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2015207 2015208 2015209 2015691 2015762
Blocks: 2006960
TreeView+ depends on / blocked
 
Reported: 2021-09-22 17:56 UTC by Pedro Sampaio
Modified: 2021-11-29 13:39 UTC (History)
5 users (show)

Fixed In Version: nodejs-ssh2 1.4.0
Clone Of:
Environment:
Last Closed: 2021-11-29 13:39:03 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4845 0 None None None 2021-11-29 13:24:49 UTC

Description Pedro Sampaio 2021-09-22 17:56:00 UTC 
ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.

References:

https://securitylab.github.com/advisories/GHSL-2020-123-mscdex-ssh2/
https://github.com/mscdex/ssh2/commit/f763271f41320e71d5cbee02ea5bc6a2ded3ca21
https://www.npmjs.com/package/ssh2
Comment 3 errata-xmlrpc 2021-11-29 13:24:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.8.0 on RHEL-8

Via RHSA-2021:4845 https://access.redhat.com/errata/RHSA-2021:4845
Comment 4 Product Security DevOps Team 2021-11-29 13:39:00 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26301
Note You need to log in before you can comment on or make changes to this bug.