Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2020-24359

CVE-2020-24359:
Improper Input Validation in vault-ssh-helper

7.5

CVSS Score

Basic Information

CVE ID
CVE-2020-24359
GHSA ID
GHSA-f9fq-vjvh-779p
EPSS Score
-
CWE
CWE-20
Published
2/15/2022
Updated
10/2/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/vault-ssh-helpergo< 0.2.00.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows a fundamental change in IP validation logic in validateIP() within helper/agent.go. The pre-0.2.0 code used net.Interface.Addrs() and CIDR range checks (belongsToCIDR), while the patched version compares exact IP addresses. The CVE description explicitly references this subnet vs specific IP validation flaw, and the added test cases in agent_test.go verify exact IP matching behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*i*orp v*ult-ss*-**lp*r (*it*u*.*om/**s*i*orp/v*ult-ss*-**lp*r/**lp*r) up to *n* in*lu*in* v*rsion *.*.* in*orr**tly ****pt** V*ult-issu** SS* OTPs *or t** su*n*t in w*i** * *ost's n*twork int*r**** w*s lo**t**, r*t**r t**n t** sp**i*i* IP ***r*ss

Reasoning

T** *ommit *i** s*ows * *un**m*nt*l ***n** in IP v*li**tion lo*i* in v*li**t*IP() wit*in **lp*r/***nt.*o. T** pr*-*.*.* *o** us** n*t.Int*r****.***rs() *n* *I*R r*n** ****ks (**lon*sTo*I*R), w*il* t** p*t**** v*rsion *omp*r*s *x**t IP ***r*ss*s. T**