VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-4957-6ur9-aaad

Essentials
Severities (110)
References (14)
Severity details (25)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-4957-6ur9-aaad
Aliases	CVE-2023-28113 GHSA-cqvm-j2r2-hwpg
Summary	russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping. Most other implementations reject such keys, so this is mainly an interoperability issue in such a case. This issue is fixed in versions 0.36.2 and 0.37.1
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-347	Improper Verification of Cryptographic Signature
CWE-20	Improper Input Validation
CWE-358	Improperly Implemented Security Check for Standard

System	Score	Found at
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00200	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00200	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00200	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00200	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00200	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00200	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00200	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00200	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00200	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00200	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
epss	0.00200	https://api.first.org/data/v1/epss?cve=CVE-2023-28113
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-cqvm-j2r2-hwpg
cvssv3.1	5.9	https://github.com/warp-tech/russh
generic_textual	MODERATE	https://github.com/warp-tech/russh
cvssv3.1	5.9	https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76
generic_textual	MODERATE	https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76
ssvc	Track	https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76
cvssv3.1	5.9	https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81
generic_textual	MODERATE	https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81
ssvc	Track	https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81
cvssv3.1	5.9	https://github.com/warp-tech/russh/commit/45d2d82930bf4a675bd57abfafec8fe4065befcd
generic_textual	MODERATE	https://github.com/warp-tech/russh/commit/45d2d82930bf4a675bd57abfafec8fe4065befcd
cvssv3.1	5.9	https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e
generic_textual	MODERATE	https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e
ssvc	Track	https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e
cvssv3.1	5.9	https://github.com/warp-tech/russh/releases/tag/v0.36.2
generic_textual	MODERATE	https://github.com/warp-tech/russh/releases/tag/v0.36.2
ssvc	Track	https://github.com/warp-tech/russh/releases/tag/v0.36.2
cvssv3.1	5.9	https://github.com/warp-tech/russh/releases/tag/v0.37.1
generic_textual	MODERATE	https://github.com/warp-tech/russh/releases/tag/v0.37.1
ssvc	Track	https://github.com/warp-tech/russh/releases/tag/v0.37.1
cvssv3.1	5.9	https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg
generic_textual	MODERATE	https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg
ssvc	Track	https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg
cvssv3	5.9	https://nvd.nist.gov/vuln/detail/CVE-2023-28113
cvssv3.1	5.9	https://nvd.nist.gov/vuln/detail/CVE-2023-28113

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-28113
		https://github.com/warp-tech/russh
		https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76
		https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81
		https://github.com/warp-tech/russh/commit/45d2d82930bf4a675bd57abfafec8fe4065befcd
		https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e
		https://github.com/warp-tech/russh/releases/tag/v0.36.2
		https://github.com/warp-tech/russh/releases/tag/v0.37.1
		https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg
cpe:2.3:a:russh_project:russh:0.37.0:beta1::::rust::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:russh_project:russh:0.37.0:beta1::::rust::*
cpe:2.3:a:russh_project:russh:0.37.0:-::::rust::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:russh_project:russh:0.37.0:-::::rust::*
cpe:2.3:a:russh_project:russh::::::rust::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:russh_project:russh::::::rust::*
CVE-2023-28113		https://nvd.nist.gov/vuln/detail/CVE-2023-28113
GHSA-cqvm-j2r2-hwpg		https://github.com/advisories/GHSA-cqvm-j2r2-hwpg

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/warp-tech/russh

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:28Z/ Found at https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:28Z/ Found at https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/warp-tech/russh/commit/45d2d82930bf4a675bd57abfafec8fe4065befcd

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:28Z/ Found at https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/warp-tech/russh/releases/tag/v0.36.2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:28Z/ Found at https://github.com/warp-tech/russh/releases/tag/v0.36.2

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/warp-tech/russh/releases/tag/v0.37.1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:28Z/ Found at https://github.com/warp-tech/russh/releases/tag/v0.37.1

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:28Z/ Found at https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-28113

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-28113

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.27869
EPSS Score	0.00095
Published At	May 7, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.