CVE-2023-28113 — MEDIUM (5.9)

Q: How severe is CVE-2023-28113?

CVE-2023-28113 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-28113?

Check the references section above for vendor advisories and patch information. Affected products include: Russh Project Russh.

Vulnerability Description

russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Russh Project	Russh	>= 0.34.0, < 0.36.2

Related Weaknesses (CWE)

CWE-20 CWE-347 CWE-358

References

FAQ

What is CVE-2023-28113?

CVE-2023-28113 is a vulnerability with a CVSS score of 5.9 (MEDIUM). russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secr...

How severe is CVE-2023-28113?

CVE-2023-28113 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-28113?

Check the references section above for vendor advisories and patch information. Affected products include: Russh Project Russh.