CVE-2019-1000018

NameCVE-2019-1000018
Descriptionrssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1650-1, DSA-4377-1
Debian Bugs919623

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rsshsourcejessie2.3.4-4+deb8u1DLA-1650-1
rsshsourcestretch2.3.4-5+deb9u1DSA-4377-1
rsshsource(unstable)2.3.4-9919623

Notes

https://sourceforge.net/p/rssh/mailman/message/36519118/
Search for package or bug name: Reporting problems