CVE-2023-28113

MEDIUM

russh <0.36.2-0.37.1 - Info Disclosure

Title source: llm

Description

russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1

References (6)

[Product] https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76

[Product] https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81

View Writeup ZIP pw:eip

[Patch] https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e

[Release Notes] https://github.com/warp-tech/russh/releases/tag/v0.36.2

[Release Notes] https://github.com/warp-tech/russh/releases/tag/v0.37.1

[Exploit, Vendor Advisory] https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg

Scores

CVSS v3 5.9

EPSS 0.0019

EPSS Percentile 40.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-358 CWE-20 CWE-347

Status published

Products (3)

crates.io/russh 0 - 0.36.2crates.io

russh_project/russh 0.37.0 (2 CPE variants)

russh_project/russh 0.34.0 - 0.36.2

Published Mar 16, 2023

Tracked Since Feb 18, 2026