CVE-2024-35175 (GCVE-0-2024-35175)
Vulnerability from cvelistv5 – Published: 2024-05-14 22:05 – Updated: 2024-08-02 03:07
VLAI
Title
sshpiper's Enabling of Proxy Protocol without proper feature flagging allows faking source address
Summary
sshpiper is a reverse proxy for sshd. Starting in version 1.0.50 and prior to version 1.3.0, the way the proxy protocol listener is implemented in sshpiper can allow an attacker to forge their connecting address. Commit 2ddd69876a1e1119059debc59fe869cb4e754430 added the proxy protocol listener as the only listener in sshpiper, with no option to toggle this functionality off. This means that any connection that sshpiper is directly (or in some cases indirectly) exposed to can use proxy protocol to forge its source address. Any users of sshpiper who need logs from it for whitelisting/rate limiting/security investigations could have them become much less useful if an attacker is sending a spoofed source address. Version 1.3.0 contains a patch for the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/tg123/sshpiper/security/adviso… | x_refsource_CONFIRM |
| https://github.com/tg123/sshpiper/commit/2ddd6987… | x_refsource_MISC |
| https://github.com/tg123/sshpiper/commit/70fb830d… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tg123:sshpiper:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sshpiper",
"vendor": "tg123",
"versions": [
{
"lessThan": "1.3.0",
"status": "affected",
"version": "1.0.5",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35175",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T20:26:15.343208Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T20:28:42.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.846Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52"
},
{
"name": "https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430"
},
{
"name": "https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "sshpiper",
"vendor": "tg123",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.50, \u003c 1.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sshpiper is a reverse proxy for sshd. Starting in version 1.0.50 and prior to version 1.3.0, the way the proxy protocol listener is implemented in sshpiper can allow an attacker to forge their connecting address. Commit 2ddd69876a1e1119059debc59fe869cb4e754430 added the proxy protocol listener as the only listener in sshpiper, with no option to toggle this functionality off. This means that any connection that sshpiper is directly (or in some cases indirectly) exposed to can use proxy protocol to forge its source address. Any users of sshpiper who need logs from it for whitelisting/rate limiting/security investigations could have them become much less useful if an attacker is sending a spoofed source address. Version 1.3.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T22:05:11.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52"
},
{
"name": "https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430"
},
{
"name": "https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53"
}
],
"source": {
"advisory": "GHSA-4w53-6jvp-gg52",
"discovery": "UNKNOWN"
},
"title": "sshpiper\u0027s Enabling of Proxy Protocol without proper feature flagging allows faking source address"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35175",
"datePublished": "2024-05-14T22:05:11.360Z",
"dateReserved": "2024-05-10T14:24:24.338Z",
"dateUpdated": "2024-08-02T03:07:46.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-35175",
"date": "2026-06-12",
"epss": "0.0012",
"percentile": "0.30805"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"sshpiper is a reverse proxy for sshd. Starting in version 1.0.50 and prior to version 1.3.0, the way the proxy protocol listener is implemented in sshpiper can allow an attacker to forge their connecting address. Commit 2ddd69876a1e1119059debc59fe869cb4e754430 added the proxy protocol listener as the only listener in sshpiper, with no option to toggle this functionality off. This means that any connection that sshpiper is directly (or in some cases indirectly) exposed to can use proxy protocol to forge its source address. Any users of sshpiper who need logs from it for whitelisting/rate limiting/security investigations could have them become much less useful if an attacker is sending a spoofed source address. Version 1.3.0 contains a patch for the issue.\"}, {\"lang\": \"es\", \"value\": \"sshpiper es un proxy inverso para sshd. A partir de la versi\\u00f3n 1.0.50 y antes de la versi\\u00f3n 1.3.0, la forma en que se implementa el escucha del protocolo proxy en sshpiper puede permitir que un atacante falsifique su direcci\\u00f3n de conexi\\u00f3n. El commit 2ddd69876a1e1119059debc59fe869cb4e754430 agreg\\u00f3 el escucha del protocolo proxy como el \\u00fanico escucha en sshpiper, sin opci\\u00f3n para desactivar esta funcionalidad. Esto significa que cualquier conexi\\u00f3n a la que sshpiper est\\u00e9 expuesto directamente (o en algunos casos indirectamente) puede utilizar el protocolo proxy para falsificar su direcci\\u00f3n de origen. Cualquier usuario de sshpiper que necesite registros del mismo para incluirlos en listas blancas, limitar la velocidad o realizar investigaciones de seguridad podr\\u00eda volverlos mucho menos \\u00fatiles si un atacante env\\u00eda una direcci\\u00f3n de origen falsificada. La versi\\u00f3n 1.3.0 contiene un parche para el problema.\"}]",
"id": "CVE-2024-35175",
"lastModified": "2024-11-21T09:19:52.233",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
"published": "2024-05-14T22:15:10.213",
"references": "[{\"url\": \"https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-345\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-35175\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-14T22:15:10.213\",\"lastModified\":\"2024-11-21T09:19:52.233\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"sshpiper is a reverse proxy for sshd. Starting in version 1.0.50 and prior to version 1.3.0, the way the proxy protocol listener is implemented in sshpiper can allow an attacker to forge their connecting address. Commit 2ddd69876a1e1119059debc59fe869cb4e754430 added the proxy protocol listener as the only listener in sshpiper, with no option to toggle this functionality off. This means that any connection that sshpiper is directly (or in some cases indirectly) exposed to can use proxy protocol to forge its source address. Any users of sshpiper who need logs from it for whitelisting/rate limiting/security investigations could have them become much less useful if an attacker is sending a spoofed source address. Version 1.3.0 contains a patch for the issue.\"},{\"lang\":\"es\",\"value\":\"sshpiper es un proxy inverso para sshd. A partir de la versi\u00f3n 1.0.50 y antes de la versi\u00f3n 1.3.0, la forma en que se implementa el escucha del protocolo proxy en sshpiper puede permitir que un atacante falsifique su direcci\u00f3n de conexi\u00f3n. El commit 2ddd69876a1e1119059debc59fe869cb4e754430 agreg\u00f3 el escucha del protocolo proxy como el \u00fanico escucha en sshpiper, sin opci\u00f3n para desactivar esta funcionalidad. Esto significa que cualquier conexi\u00f3n a la que sshpiper est\u00e9 expuesto directamente (o en algunos casos indirectamente) puede utilizar el protocolo proxy para falsificar su direcci\u00f3n de origen. Cualquier usuario de sshpiper que necesite registros del mismo para incluirlos en listas blancas, limitar la velocidad o realizar investigaciones de seguridad podr\u00eda volverlos mucho menos \u00fatiles si un atacante env\u00eda una direcci\u00f3n de origen falsificada. La versi\u00f3n 1.3.0 contiene un parche para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"references\":[{\"url\":\"https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52\", \"name\": \"https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430\", \"name\": \"https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53\", \"name\": \"https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T03:07:46.846Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-35175\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-11T20:26:15.343208Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:tg123:sshpiper:*:*:*:*:*:*:*:*\"], \"vendor\": \"tg123\", \"product\": \"sshpiper\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.5\", \"lessThan\": \"1.3.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-11T20:28:19.372Z\"}}], \"cna\": {\"title\": \"sshpiper\u0027s Enabling of Proxy Protocol without proper feature flagging allows faking source address\", \"source\": {\"advisory\": \"GHSA-4w53-6jvp-gg52\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"tg123\", \"product\": \"sshpiper\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.0.50, \u003c 1.3.0\"}]}], \"references\": [{\"url\": \"https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52\", \"name\": \"https://github.com/tg123/sshpiper/security/advisories/GHSA-4w53-6jvp-gg52\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430\", \"name\": \"https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53\", \"name\": \"https://github.com/tg123/sshpiper/commit/70fb830dca26bea7ced772ce5d834a3e88ae7f53\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"sshpiper is a reverse proxy for sshd. Starting in version 1.0.50 and prior to version 1.3.0, the way the proxy protocol listener is implemented in sshpiper can allow an attacker to forge their connecting address. Commit 2ddd69876a1e1119059debc59fe869cb4e754430 added the proxy protocol listener as the only listener in sshpiper, with no option to toggle this functionality off. This means that any connection that sshpiper is directly (or in some cases indirectly) exposed to can use proxy protocol to forge its source address. Any users of sshpiper who need logs from it for whitelisting/rate limiting/security investigations could have them become much less useful if an attacker is sending a spoofed source address. Version 1.3.0 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-345\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-14T22:05:11.360Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-35175\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T03:07:46.846Z\", \"dateReserved\": \"2024-05-10T14:24:24.338Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-14T22:05:11.360Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…