漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets
Vulnerability Description
Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
不加限制或调节的资源分配
Vulnerability Title
Russh 安全漏洞
Vulnerability Description
Russh是Eugene个人开发者的一个 Rust SSH 客户端和服务器端库。 Russh 0.34.0版本至0.61.1之前版本存在安全漏洞,该漏洞源于启用SSH压缩时接受解压后过大的数据包,可能导致远程拒绝服务或资源耗尽。
CVSS Information
N/A
Vulnerability Type
N/A