CVE-2023-46445

Name of the Vulnerable Software and Affected Versions AsyncSSH versions prior to 2.14.1

Description The issue in AsyncSSH allows attackers to control the extension info message via a man-in-the-middle attack, enabling them to conduct algorithm downgrade attacks during user authentication. This can be achieved by exploiting the implementation flaw in AsyncSSH to inject an extension info message chosen by the attacker and delete the original extension info message. The attacker can meddle with the value of server-sig-algs to use a weaker algorithm, such as SHA-1 instead of SHA-2.

Recommendations For versions prior to 2.14.1, update to version 2.14.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable server-sig-algs extension until a patch is available. Avoid using the server-sig-algs extension in the affected API endpoint until the issue is resolved.