CVE-2021-38173

Btrbk before 0.31.2 allows command execution because of the mishandling of remote hosts filtering SSH commands using ssh_filter_btrbk.sh in authorized_keys.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
digintbtrbk
𝑥
< 0.31.2
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
btrbk
bullseye
0.27.1-1.1+deb11u2
fixed
bookworm
0.32.5-1
fixed
sid
0.32.5-1.1
fixed
trixie
0.32.5-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
btrbk
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
https://github.com/digint/btrbk/blob/master/ChangeLog
https://github.com/digint/btrbk/commit/58212de771c381cd4fa05625927080bf264e9584
https://lists.debian.org/debian-lts-announce/2021/09/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP2T32JMENJFRP2HWXR7FTTZVRTTPECL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LM7GLTUN5YS4KE2RNBX732EAMVVGNEX3/
https://github.com/digint/btrbk/blob/master/ChangeLog
https://github.com/digint/btrbk/commit/58212de771c381cd4fa05625927080bf264e9584
https://lists.debian.org/debian-lts-announce/2021/09/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP2T32JMENJFRP2HWXR7FTTZVRTTPECL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LM7GLTUN5YS4KE2RNBX732EAMVVGNEX3/