CVE-2022-24950

Published: Aug 16, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

A race condition exists in Eternal Terminal prior to version 6.2.0 that allows an authenticated attacker to hijack other users' SSH authorization socket, enabling the attacker to login to other systems as the targeted users. The bug is in UserTerminalRouter::getInfoForId().

Affected (1)

Products: Eternal Terminal Project: Eternal Terminal

Eternal Terminal Project

1 product

Eternal Terminal

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Eternal Terminal Project Eternal Terminal	Before 6.2.0

Related CWEs

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (6)

http://www.openwall.com/lists/oss-security/2023/02/16/1

Source: cve-assign@fb.com

https://github.com/MisterTea/EternalTerminal/commit/900348bb8bc96e1c7ba4888ac8480f643c43d3c3

Source: cve-assign@fb.com

PatchThird Party Advisory

https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-85gw-pchc-4rf3

Source: cve-assign@fb.com

ExploitThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/02/16/1

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/MisterTea/EternalTerminal/commit/900348bb8bc96e1c7ba4888ac8480f643c43d3c3

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-85gw-pchc-4rf3

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.