Headline
CVE-2022-4768: Block injection attack in ssh public key handling (#673) · dropbox/merou@d930879
A vulnerability was found in Dropbox merou. It has been classified as critical. Affected is the function add_public_key of the file grouper/public_key.py of the component SSH Public Key Handler. The manipulation of the argument public_key_str leads to injection. It is possible to launch the attack remotely. The name of the patch is d93087973afa26bc0a2d0a5eb5c0fde748bdd107. It is recommended to apply a patch to fix this issue. VDB-216906 is the identifier assigned to this vulnerability.
@@ -11,7 +11,7 @@
get_public_keys_of_user,
PublicKeyParseError,
)
from tests.constants import SSH_KEY_1, SSH_KEY_BAD
from tests.constants import SSH2_KEY_BAD, SSH_KEY_1, SSH_KEY_BAD, SSH_KEY_BAD_MULTILINE
from tests.fixtures import session, users # noqa: F401
@@ -41,6 +41,16 @@ def test_bad_key(session, users): # noqa: F811
assert get_public_keys_of_user(session, user.id) == []
@pytest.mark.parametrize("key", [SSH_KEY_BAD_MULTILINE, SSH2_KEY_BAD])
def test_multiline_key(key, session, users): # noqa: F811
user = users[“cbguder@a.co”]
with pytest.raises(PublicKeyParseError, match="Public key cannot have newlines"):
add_public_key(session, user, key)
assert get_public_keys_of_user(session, user.id) == []
@patch(“grouper.public_key.get_plugin_proxy”)
def test_rejected_key(get_plugin_proxy, session, users): # noqa: F811
get_plugin_proxy.return_value = PluginProxy([PublicKeyPlugin()])