CVE-2020-26301
Command Injection vulnerability in ssh2 (npm)
What is CVE-2020-26301 About?
This is a command injection vulnerability affecting the 'ssh2' module for Node.js, specifically in versions prior to 1.4.0, but only on Windows systems. It can lead to remote code execution if untrusted input is passed to a vulnerable method. Exploitation is relatively easy if an attacker can provide crafted input to the client-side of the library.
Affected Software
Technical Details
The vulnerability exists in the 'ssh2' library's handling of specific methods, particularly on Windows. When a client of the library calls a particular vulnerable method with untrusted input, specially crafted characters within this input are not properly sanitized or escaped before being passed to a shell command (e.g., via child_process.exec or similar). This allows an attacker to inject and execute arbitrary operating system commands on the host where the vulnerable Node.js application is running, leading to remote code execution.
What is the Impact of CVE-2020-26301?
Successful exploitation may allow attackers to execute arbitrary system commands, take full control of the affected system, steal sensitive data, or launch further attacks.
What is the Exploitability of CVE-2020-26301?
Exploiting this command injection vulnerability requires an attacker to be able to provide untrusted input to a specific method within the 'ssh2' library. The complexity for exploitation is moderate, as it depends on the application's usage of the vulnerable method and its input handling. No strict authentication is inherently required by the vulnerability itself, but an attacker typically needs some level of interaction with the application to provide the malicious input. This is a remote exploitation scenario if the Node.js application processes remote untrusted data that gets funneled into the vulnerable function. The presence of direct user-controlled input being passed to OS command execution functions increases the likelihood of attack. It specifically affects Windows environments.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-26301?
Available Upgrade Options
- ssh2
- <1.4.0 → Upgrade to 1.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mscdex/ssh2
- https://securitylab.github.com/advisories/GHSL-2020-123-mscdex-ssh2/
- https://www.npmjs.com/package/ssh2
- https://github.com/mscdex/ssh2/commit/f763271f41320e71d5cbee02ea5bc6a2ded3ca21
- https://osv.dev/vulnerability/GHSA-652h-xwhf-q4h6
- https://www.npmjs.com/package/ssh2
- https://nvd.nist.gov/vuln/detail/CVE-2020-26301
- https://github.com/mscdex/ssh2/commit/f763271f41320e71d5cbee02ea5bc6a2ded3ca21
- https://securitylab.github.com/advisories/GHSL-2020-123-mscdex-ssh2
What are Similar Vulnerabilities to CVE-2020-26301?
Similar Vulnerabilities: CVE-2021-43297 , CVE-2021-43845 , CVE-2022-24329 , CVE-2022-23588 , CVE-2023-28952
