Russh
CVE-2023-28113
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1
AnalysisAI
russh is a Rust SSH client and server library. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-20. russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1 Affected products include: Russh Project Russh. Version information: version 0.34.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Russh is a Rust SSH client & server library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,
Pre-authentication denial-of-service in russh SSH server library allows remote attackers to crash servers implementing k
Denial of service in Russh (Rust SSH client/server library) versions 0.34.0 through 0.60.x allows remote SSH peers to tr
Denial of service in Russh (versions 0.37.0-0.60.x), a Rust SSH client and server library, allows a malicious SSH server
Russh is a Rust SSH client & server library. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitabl
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today