CVE-2024-34713 Information

Description

sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3 any user authorized to connect to a ssh server using sshproxy can inject options to the ssh command executed by sshproxy. All versions of sshproxy are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the force_command option in sshproxy.yaml but it’s rarely relevant.

Reference

https://github.com/cea-hpc/sshproxy/security/advisories/GHSA-jmqp-37m5-49wh https://github.com/cea-hpc/sshproxy/commit/f7eabd05d5f0f951e160293692327cad9a7d9580