Patch Fix Insufficient Verification of Data Authenticity Improper Validation of Integrity Check Value

DopplerHQ / cli

The official CLI for interacting with your Doppler secrets and configuration.

https://docs.doppler.com

Apache License 2.0

214 stars 43 forks source link

Patch Fix Insufficient Verification of Data Authenticity Improper Validation of Integrity Check Value #448

Closed lamrecognitions closed 4 months ago

lamrecognitions commented 4 months ago

Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.

CVE-2023-48795 CWE-345 CWE-354 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

nmanoogian commented 4 months ago

Thanks for filing this, @lamrecognitions! However, this change is already included in #445, which is currently in review.