CVE-2023-51385: 
NixOS vulnerability analysis and mitigation

CVE-2023-51385 affects OpenSSH versions before 9.6, where OS command injection might occur if a user name or host name contains shell metacharacters and is referenced by an expansion token in certain situations. The vulnerability was discovered and disclosed in December 2023. The issue affects various systems and software that use OpenSSH, including major Linux distributions and enterprise systems (OpenSSH Release, Debian Advisory).

The vulnerability occurs when an invalid user or hostname containing shell metacharacters is passed to ssh, and a ProxyCommand, LocalCommand directive, or 'match exec' predicate references the user or hostname via expansion tokens like %u, %h. This could lead to command injection depending on the quoting present in the user-supplied ssh_config directive. The vulnerability has been assigned a CVSS 3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability could allow an attacker who can supply arbitrary user/hostnames to ssh to potentially perform command injection. A practical example of this vulnerability can occur in git repositories with submodules, where the repository could contain a submodule with shell metacharacters in its user or hostname (OpenSSH Release, Security Blog).

The primary mitigation is to upgrade to OpenSSH version 9.6 or later, which implements countermeasures by banning most shell metacharacters from user and hostnames supplied via the command-line. However, user/hostnames provided via ssh_config are not subject to these restrictions. The fix is available through various distribution channels including Debian, Ubuntu, Red Hat, and other major Linux distributions (OpenSSH Release, Debian Advisory).