CVE-2021-38173

CRITICAL

btrbk < 0.31.2 - Remote Command Execution via SSH Filter Bypass

Title source: llm

Description

Btrbk before 0.31.2 allows command execution because of the mishandling of remote hosts filtering SSH commands using ssh_filter_btrbk.sh in authorized_keys.

References (5)

Core 5

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/digint/btrbk/commit/58212de771c381cd4fa05625927080bf264e9584

View Patch ZIP pw:eip

Release Notes, Third Party Advisory x_refsource_confirm

https://github.com/digint/btrbk/blob/master/ChangeLog

View Writeup ZIP pw:eip

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2021/09/msg00002.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LM7GLTUN5YS4KE2RNBX732EAMVVGNEX3/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP2T32JMENJFRP2HWXR7FTTZVRTTPECL/

Scores

CVSS v3 9.8

EPSS 0.0020

EPSS Percentile 41.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (4)

debian/debian_linux 9.0

digint/btrbk < 0.31.2

fedoraproject/fedora 34

fedoraproject/fedora 35

Published Aug 07, 2021

Tracked Since Feb 18, 2026