Cyber Resilience

CVE-2023-51385

MediumUpdated

Published: 18 December 2023

Published
18 December 2023
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.1723 95.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51385 is a medium-severity OS Command Injection (CWE-78) vulnerability in Debian Debian Linux. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an OS command injection flaw, tracked as CWE-78, that affects the ssh client in OpenSSH versions prior to 9.6. It occurs when a username or hostname containing shell metacharacters is expanded via certain tokens, allowing the metacharacters to be interpreted by the shell rather than treated literally. An example trigger is a submodule entry inside an untrusted Git repository that supplies a malicious username or hostname.

An attacker can supply a crafted repository or configuration that causes the vulnerable ssh client to process the expansion during operations such as cloning or submodule handling. Successful exploitation yields limited command execution on the client system with no authentication required, corresponding to the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.

Public advisories and vendor patches direct users to upgrade to OpenSSH 9.6 or later; the referenced commit in the portable repository addresses the expansion handling, while distribution lists from Debian and Gentoo provide coordinated update guidance and package backports.

EPSS values have remained in a narrow band near 0.18 with no pronounced post-disclosure climb.

EU & UK References

Vulnerability details

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can…

more

have a submodule with shell metacharacters in a user name or host name.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openbsd
openssh
≤ 9.6
debian
debian linux
10.0, 11.0, 12.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References