Security Advisory Description
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. (CVE-2023-51385)
Impact
An attacker may be able to run arbitrary commands to gain access to restricted information, modify files, or cause a denial-of-service (DoS).