PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-51385 Debian CVE debrief

CVE-2023-51385 is an OpenSSH client-side command injection issue published on 2023-12-18 and later updated in NVD on 2026-05-12. The problem affects OpenSSH versions before 9.6 when a user name or host name containing shell metacharacters is referenced through an expansion token in certain situations. The public example in the NVD description is an untrusted Git repository with a submodule that embeds a dangerous user or host name. From a defensive perspective, the risk is highest where SSH configuration or automation expands untrusted names into shell-like command contexts. The vulnerability is documented as network-reachable with low attack complexity and no privileges or user interaction required in the CVSS vector, though confidentiality and integrity impact are limited.

Vendor
Debian
Product
CVE-2023-51385
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2023-12-18
Original CVE updated
2026-05-12
Advisory published
2023-12-18
Advisory updated
2026-05-12

Who should care

Administrators and users running OpenSSH clients before 9.6, especially in environments that automate SSH connections, use expansion tokens in SSH-related commands/configuration, or process untrusted repository content such as Git submodules.

Technical summary

NVD classifies the weakness as CWE-78 (OS Command Injection) with CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerable condition occurs when a user name or host name contains shell metacharacters and that value is later referenced by an expansion token in certain SSH situations. The official OpenSSH release notes for 9.6 and the referenced upstream patch are the primary remediation indicators in the source corpus.

Defensive priority

Medium. This is a targeted injection flaw in OpenSSH before 9.6, with practical exposure depending on whether affected SSH client paths expand attacker-controlled names. Prioritize systems that handle untrusted input in SSH workflows.

Recommended defensive actions

  • Upgrade OpenSSH to version 9.6 or later, using the upstream release notes and patch reference as the remediation baseline.
  • Audit SSH client configurations, scripts, and tooling for expansion tokens that may interpolate user or host names into shell-command contexts.
  • Review automation that consumes untrusted repository metadata or submodules before invoking SSH-related operations.
  • Treat usernames and hostnames from untrusted sources as tainted input and avoid passing them into shell-expanded command paths.
  • Confirm distro-specific advisories and backports for Debian, Gentoo, Apple, NetApp, or other vendors listed in the reference set if you rely on packaged OpenSSH.

Evidence notes

This debrief is based only on the supplied NVD/CVE corpus and referenced official or vendor-linked sources. The vulnerability description, affected version boundary (< 9.6), CVSS vector, and CWE-78 classification come from the NVD record. The upstream OpenSSH patch commit and 9.6 release notes are included in the source references. Debian CPE entries are present in the supplied record, but the primary product described by the vulnerability text is OpenSSH.

Official resources

Publicly disclosed in the CVE record on 2023-12-18, with later NVD metadata updates on 2026-05-12. The source references include the OpenSSH 9.6 release notes and an upstream patch commit.