FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rssh - multiple vulnerabilities

Affected packages
rssh < 2.3.4_2


VuXML ID d193aa9f-3f8c-11e9-9a24-6805ca0b38e8
Discovery 2019-02-04
Entry 2019-03-06

NVD reports:

rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission.

Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.


CVE Name CVE-2019-1000018
CVE Name CVE-2019-3463
CVE Name CVE-2019-3464