ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
1:7.5p1-101:7.5p1-81:7.5p1-91:7.5p1-9build11:7.5p1-11build11:8.9p1-3ubuntu0.141:7.5p1-121:7.5p1-12build11:7.5p1-131:9.6p1-3ubuntu13.151:7.5p1-141:7.5p1-151:7.5p1-15build11:7.5p1-161:10.0p1-5ubuntu5.11:7.5p1-171:10.2p1-2ubuntu11:7.5p1-171:7.5p1-18Exploitability
AV:LAC:HPR:LUI:NScope
S:UImpact
C:LI:LA:NCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N