Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue.
As a workaround, properly limit access to the management console.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Weblate Weblate
cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*
|
— |
5.16
|
References 3
https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf85645…
security-advisories@github.com
https://github.com/WeblateOrg/weblate/pull/17722
security-advisories@github.com
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47
security-advisories@github.com