CVE-2023-46446

Published: Nov 14, 2023Modified: Feb 25, 2026

6.8

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 1.6 / Impact: 5.2

Source: NVD

Description

An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack."

Affected (1)

Products: Asyncssh Project: Asyncssh

Asyncssh Project

1 product

Asyncssh

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Asyncssh Project Asyncssh	Before 2.14.1

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (15)

http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html

Source: cve@mitre.org

https://github.com/advisories/GHSA-c35q-ffpf-5qpm

Source: cve@mitre.org

https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst

Source: cve@mitre.org

https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm

Source: cve@mitre.org

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ME34ROZWMDK5KLMZKTSA422XVJZ7IMTE/

Source: cve@mitre.org

https://security.netapp.com/advisory/ntap-20231222-0001/

Source: cve@mitre.org

https://www.terrapin-attack.com

Source: cve@mitre.org

http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html