VDB
CVE-2023-46446
CVE-2023-46446
PUBLISHED
CVSS 6.800000190734863 MEDIUM
An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack."
EPSS 0.39% · 60.2th percentile
Risk Scores
CVSS 3.1
6.800000190734863
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.39%
60.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | asyncssh | 0, 0, 0 |
| n/a | n/a | n/a, n/a |
| asyncssh_project | asyncssh | 0, 0, 0 |
Exploit Intelligence
- CIRCL published-proof-of-concept: CVE-2023-46446 (circl-sighting)
- CIRCL published-proof-of-concept: CVE-2023-46446 (circl-sighting)
- https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html (circl)
- https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm (circl)
- FEDORA-2023-d2956318e4 (circl)
- https://www.terrapin-attack.com (circl)
- https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst (circl)
- https://github.com/advisories/GHSA-c35q-ffpf-5qpm (circl)
- http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html (circl)
- https://security.netapp.com/advisory/ntap-20231222-0001/ (circl)
Timeline
- Nov 9, 2023 CVE Published
- Nov 14, 2023 EPSS Score
- Dec 14, 2023 EPSS Score
- Dec 19, 2023 PoC Published
- Dec 20, 2023 PoC Published
- Jan 13, 2024 EPSS Score
- Feb 13, 2024 EPSS Score
- Mar 14, 2024 EPSS Score
- Apr 13, 2024 EPSS Score
- May 13, 2024 EPSS Score
- Jun 13, 2024 EPSS Score
- Aug 12, 2024 EPSS Score
References
- https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm url
- FEDORA-2023-d2956318e4 vendor-advisory
- https://www.terrapin-attack.com url
- https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst url
- https://github.com/advisories/GHSA-c35q-ffpf-5qpm url
- http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html url
- https://security.netapp.com/advisory/ntap-20231222-0001/ url
- https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html url
- https://nvd.nist.gov/vuln/detail/CVE-2023-46446 advisory
- https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e url
- https://github.com/pypa/advisory-database/tree/main/vulns/asyncssh/PYSEC-2023-239.yaml url
- https://github.com/ronf/asyncssh package
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ME34ROZWMDK5KLMZKTSA422XVJZ7IMTE url
- https://security.netapp.com/advisory/ntap-20231222-0001 url