CVE Vulnerabilities

CVE-2021-41617

Published: Sep 26, 2021 | Modified: Dec 26, 2023
CVSS 3.x
7
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
4.4 MEDIUM
AV:L/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
7 MODERATE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
LOW

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.

Affected Software

Name Vendor Start Version End Version
Openssh Openbsd 6.2 (including) 8.8 (excluding)
Red Hat Enterprise Linux 7 RedHat openssh-0:7.4p1-22.el7_9 *
Red Hat Enterprise Linux 8 RedHat openssh-0:8.0p1-13.el8 *
Red Hat Enterprise Linux 8 RedHat openssh-0:8.0p1-13.el8 *
Openssh Ubuntu bionic *
Openssh Ubuntu esm-infra-legacy/trusty *
Openssh Ubuntu esm-infra/bionic *
Openssh Ubuntu esm-infra/xenial *
Openssh Ubuntu fips-updates/bionic *
Openssh Ubuntu fips-updates/focal *
Openssh Ubuntu fips-updates/xenial *
Openssh Ubuntu fips/bionic *
Openssh Ubuntu fips/focal *
Openssh Ubuntu fips/xenial *
Openssh Ubuntu focal *
Openssh Ubuntu hirsute *
Openssh Ubuntu impish *
Openssh Ubuntu trusty *
Openssh Ubuntu trusty/esm *
Openssh Ubuntu upstream *
Openssh Ubuntu xenial *
Openssh-ssh1 Ubuntu bionic *
Openssh-ssh1 Ubuntu devel *
Openssh-ssh1 Ubuntu esm-apps/bionic *
Openssh-ssh1 Ubuntu esm-apps/focal *
Openssh-ssh1 Ubuntu esm-apps/jammy *
Openssh-ssh1 Ubuntu esm-apps/noble *
Openssh-ssh1 Ubuntu focal *
Openssh-ssh1 Ubuntu hirsute *
Openssh-ssh1 Ubuntu impish *
Openssh-ssh1 Ubuntu jammy *
Openssh-ssh1 Ubuntu kinetic *
Openssh-ssh1 Ubuntu lunar *
Openssh-ssh1 Ubuntu mantic *
Openssh-ssh1 Ubuntu noble *
Openssh-ssh1 Ubuntu oracular *
Openssh-ssh1 Ubuntu upstream *

References