QwikSec

Security Database

CVE

CWE

Training

CVE-2023-28113

Published: Mar 16, 2023

Modified: Feb 25, 2025

PUBLISHED

CVSS v3.1

5.9

MEDIUM

Description

russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1

Vendor	Product	Versions
warp-tech	russh	affected `0.34.0 - < 0.34.0` affected `0.36.2 - < 0.36.2` affected `0.37.0 - < 0.37.0` affected `0.37.1 - < 0.37.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e

https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76

https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81

https://github.com/warp-tech/russh/releases/tag/v0.36.2

https://github.com/warp-tech/russh/releases/tag/v0.37.1

https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.