You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears the SSH tunnel implementation of sqlectron is not performing verification of the remote ssh host key (~/.ssh/known_hosts) and blindly accepts any connection, potentially compromising the login & all subsequent traffic if a MITM attack is in place.
I verified it by simulating a host key change and the tool still just blindly connected.
This comes from the underlying ssh2 lib, where it is only an optional option:
https://github.com/sqlectron/sqlectron-db-core/blob/main/src/tunnel.ts
It appears the SSH tunnel implementation of sqlectron is not performing verification of the remote ssh host key (
~/.ssh/known_hosts
) and blindly accepts any connection, potentially compromising the login & all subsequent traffic if a MITM attack is in place.I verified it by simulating a host key change and the tool still just blindly connected.
This comes from the underlying ssh2 lib, where it is only an optional option:
The text was updated successfully, but these errors were encountered: