CVE-2023-51385 Information

Description

In ssh in OpenSSH before 9.6 OS command injection might occur if a user name or host name has shell metacharacters and this name is referenced by an expansion token in certain situations. For example an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

Reference

https://www.openssh.com/txt/release-9.6 https://www.openwall.com/lists/oss-security/2023/12/18/2 https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a