CVE-2022-24950

high

Description

A race condition exists in Eternal Terminal prior to version 6.2.0 that allows an authenticated attacker to hijack other users' SSH authorization socket, enabling the attacker to login to other systems as the targeted users. The bug is in UserTerminalRouter::getInfoForId().

References

https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-85gw-pchc-4rf3

https://github.com/MisterTea/EternalTerminal/commit/900348bb8bc96e1c7ba4888ac8480f643c43d3c3

http://www.openwall.com/lists/oss-security/2023/02/16/1

Details

Source: Mitre, NVD

Published: 2022-08-16

Updated: 2023-02-16

Risk Information

CVSS v2

Base Score: 7.1

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High