QwikSec

Security Database

CVE

CWE

Training

CVE-2022-24950

Published: Aug 16, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

A race condition exists in Eternal Terminal prior to version 6.2.0 that allows an authenticated attacker to hijack other users' SSH authorization socket, enabling the attacker to login to other systems as the targeted users. The bug is in UserTerminalRouter::getInfoForId().

Vendor	Product	Versions
Jason Gauci	Eternal Terminal	affected `unspecified - < 6.2.0`

Weaknesses (CWE)

References

https://github.com/MisterTea/EternalTerminal/commit/900348bb8bc96e1c7ba4888ac8480f643c43d3c3

https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-85gw-pchc-4rf3

[oss-security] 20230216 EternalTerminal: Review report and findings (predictable /tmp file paths and file permission issues, 3 CVEs)

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.