Vulnerability Details : CVE-2023-28531
ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.
Products affected by CVE-2023-28531
- cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:solidfire_element_os:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:brocade_fabric_operating_system:-:*:*:*:*:*:*:*
Threat overview for CVE-2023-28531
Top countries where our scanners detected CVE-2023-28531
Top open port discovered on systems with this issue
22
IPs affected by CVE-2023-28531 7,554,594
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2023-28531!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2023-28531
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28531
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2023-28531
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AN2UDTXEUSKFIOIYMV6JNI5VSBMYZOFT/
[SECURITY] Fedora 38 Update: openssh-9.0p1-19.fc38 - package-announce - Fedora Mailing-Lists
-
https://www.openwall.com/lists/oss-security/2023/03/15/8
oss-security - Announce: OpenSSH 9.3 releasedMailing List;Release Notes
-
https://security.netapp.com/advisory/ntap-20230413-0008/
CVE-2023-28531 OpenSSH Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.debian.org/security/2023/dsa-5586
Debian -- Security Information -- DSA-5586-1 openssh
-
https://security.gentoo.org/glsa/202307-01
OpenSSH: Remote Code Execution (GLSA 202307-01) — Gentoo securityThird Party Advisory
Jump to