CVE-2019-3464

Name
CVE-2019-3464
Description
Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mailing List https://tracker.debian.org/news/1026713/accepted-rssh-234-5deb9u2-source-amd64-into-stable-embargoed-stable/
Third Party Advisory https://www.debian.org/security/2019/dsa-4382
Mailing List https://lists.debian.org/debian-lts-announce/2019/02/msg00007.html
Third Party Advisory http://www.securityfocus.com/bid/106839
Third Party Advisory https://usn.ubuntu.com/3946-1/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HO3MDU3AH5SLYBKHH5PJ6PHC63ASIF42/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T42YYNWJZG422GATWAHAEK4A24OKY557/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KR2OHTHMJVV4DO3HDRFQQZ5JENHDJQEN/
Third Party Advisory https://security.gentoo.org/glsa/202007-29
Mailing List http://seclists.org/fulldisclosure/2021/May/78

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:pizzashack:rssh:2.3.4:*:*:*:*:*:*:* rssh == None == 2.3.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
rssh 3.14-main 2.3.4-r2 Jakub Jirutka <jakub@jirutka.cz> fixed
rssh 3.13-main 2.3.4-r2 Jakub Jirutka <jakub@jirutka.cz> fixed
rssh 3.15-main 2.3.4-r2 Jakub Jirutka <jakub@jirutka.cz> fixed
rssh 3.16-main 2.3.4-r2 Jakub Jirutka <jakub@jirutka.cz> fixed
rssh 3.17-main 2.3.4-r3 Jakub Jirutka <jakub@jirutka.cz> fixed
rssh edge-main 2.3.4-r4 Jakub Jirutka <jakub@jirutka.cz> fixed
rssh 3.18-main 2.3.4-r4 Jakub Jirutka <jakub@jirutka.cz> fixed
rssh 3.19-main 2.3.4-r4 Jakub Jirutka <jakub@jirutka.cz> fixed
rssh 3.20-main 2.3.4-r4 Jakub Jirutka <jakub@jirutka.cz> fixed