sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass i…
sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
https://cwe.mitre.org/data/definitions/138.html →Open in CWE collection →Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
https://cwe.mitre.org/data/definitions/264.html →Open in CWE collection →An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
https://capec.mitre.org/data/definitions/15.html →Open in CAPEC collection →https://capec.mitre.org/data/definitions/34.html →Open in CAPEC collection →
https://capec.mitre.org/data/definitions/105.html →Open in CAPEC collection →
| Product | Vendor | Status |
|---|---|---|
| openssh | Tracked | |
| openssh | Tracked | |
| communications_user_data_repository | * | Tracked |
| openssh | * | Tracked |