N/A

A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

N/A

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

libssh 操作系统命令注入漏洞

libssh是libssh组织的一个用于访问SSH服务的C语言开发包，它能够执行远程命令、文件传输，同时为远程的程序提供安全的传输通道。 libssh 存在操作系统命令注入漏洞，该漏洞可能允许远程身份验证的攻击者在系统上执行任意命令，这是由 ssh_scp_new() 中的缺陷引起的。通过发送特制的请求，攻击者可以利用该漏洞在系统上执行任意命令。

N/A

N/A