OpenSSH does not properly drop privileges when the UseLogin option is enabled, which allows local users to execute arbitrary commands by providing the command to the ssh daemon.
Source: MITRE
Max CVSS
10.0
EPSS Score
0.19%
Published
2000-06-08
Updated
2017-10-10
Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow attackers to gain root privileges.
Source: MITRE
Max CVSS
10.0
EPSS Score
0.55%
Published
2000-12-11
Updated
2008-09-05
CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.
Source: MITRE
Max CVSS
10.0
EPSS Score
12.25%
Published
2001-03-12
Updated
2018-05-03
Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.
Source: MITRE
Max CVSS
10.0
EPSS Score
0.87%
Published
2002-03-15
Updated
2024-02-02
Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.
Source: MITRE
Max CVSS
10.0
EPSS Score
28.67%
Published
2002-07-03
Updated
2024-02-08
Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).
Source: MITRE
Max CVSS
10.0
EPSS Score
40.32%
Published
2002-07-03
Updated
2016-10-18
A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.
Source: MITRE
Max CVSS
10.0
EPSS Score
62.77%
Published
2003-09-22
Updated
2018-05-03
The SSH1 PAM challenge response authentication in OpenSSH 3.7.1 and 3.7.1p1, when Privilege Separation is disabled, does not check the result of the authentication attempt, which can allow remote attackers to gain privileges.
Source: MITRE
Max CVSS
10.0
EPSS Score
1.78%
Published
2003-11-17
Updated
2008-09-10
The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.
Source: Red Hat, Inc.
Max CVSS
9.8
EPSS Score
0.37%
Published
2017-04-11
Updated
2022-12-13
ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.
Source: MITRE
Max CVSS
9.8
EPSS Score
0.11%
Published
2023-03-17
Updated
2024-02-12
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Source: MITRE
Max CVSS
9.8
EPSS Score
3.00%
Published
2023-07-20
Updated
2024-04-04
Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
Source: Red Hat, Inc.
Max CVSS
9.3
EPSS Score
72.45%
Published
2006-09-27
Updated
2024-02-02
Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact. NOTE: since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points. As of 20080827, no unofficial distributions of this software are known.
Source: MITRE
Max CVSS
9.3
EPSS Score
1.40%
Published
2008-08-27
Updated
2017-08-08
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
Source: MITRE
Max CVSS
8.5
EPSS Score
16.44%
Published
2015-08-03
Updated
2022-12-13
The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings.
Source: Red Hat, Inc.
Max CVSS
8.1
EPSS Score
0.27%
Published
2016-01-14
Updated
2022-12-13
sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.
Source: Red Hat, Inc.
Max CVSS
7.8
EPSS Score
94.60%
Published
2006-09-27
Updated
2018-10-17
The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.
Source: MITRE
Max CVSS
7.8
EPSS Score
0.04%
Published
2016-05-01
Updated
2022-12-13
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
Source: MITRE
Max CVSS
7.8
EPSS Score
4.50%
Published
2016-08-07
Updated
2022-12-13
The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."
Source: MITRE
Max CVSS
7.8
EPSS Score
78.35%
Published
2016-12-09
Updated
2024-05-17
The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.
Source: MITRE
Max CVSS
7.8
EPSS Score
0.04%
Published
2017-01-05
Updated
2022-12-13
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
Source: MITRE
Max CVSS
7.8
EPSS Score
0.05%
Published
2019-10-09
Updated
2023-03-01
scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
Source: MITRE
Max CVSS
7.8
EPSS Score
0.37%
Published
2020-07-24
Updated
2024-06-04
sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
Source: MITRE
Max CVSS
7.6
EPSS Score
1.50%
Published
2003-12-31
Updated
2022-12-13
OpenSSH SSH client before 2.3.0 does not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.71%
Published
2001-01-09
Updated
2017-10-10
The SSH protocols 1 and 2 (aka SSH-2) as implemented in OpenSSH and other packages have various weaknesses which can allow a remote attacker to obtain the following information via sniffing: (1) password lengths or ranges of lengths, which simplifies brute force password guessing, (2) whether RSA or DSA authentication is being used, (3) the number of authorized_keys in RSA authentication, or (4) the lengths of shell commands.
Source: MITRE
Max CVSS
7.5
EPSS Score
1.61%
Published
2001-08-22
Updated
2008-09-05
113 vulnerabilities found
1 2 3 4 5
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!