The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Openssh | Openbsd | * | 9.3 (excluding) |
Openssh | Openbsd | 9.3 (including) | 9.3 (including) |
Openssh | Openbsd | 9.3-p1 (including) | 9.3-p1 (including) |
DEVWORKSPACE-1.0-RHEL-8 | RedHat | devworkspace/devworkspace-operator-bundle:0.22-2 | * |
DEVWORKSPACE-1.0-RHEL-8 | RedHat | devworkspace/devworkspace-project-clone-rhel8:0.22-2 | * |
DEVWORKSPACE-1.0-RHEL-8 | RedHat | devworkspace/devworkspace-rhel8-operator:0.22-2 | * |
Red Hat Enterprise Linux 6 Extended Lifecycle Support | RedHat | openssh-0:5.3p1-125.el6_10 | * |
Red Hat Enterprise Linux 7 | RedHat | openssh-0:7.4p1-23.el7_9 | * |
Red Hat Enterprise Linux 8 | RedHat | openssh-0:8.0p1-19.el8_8 | * |
Red Hat Enterprise Linux 8 | RedHat | openssh-0:8.0p1-19.el8_8 | * |
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | RedHat | openssh-0:8.0p1-5.el8_1.1 | * |
Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | openssh-0:8.0p1-5.el8_2 | * |
Red Hat Enterprise Linux 8.2 Telecommunications Update Service | RedHat | openssh-0:8.0p1-5.el8_2 | * |
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions | RedHat | openssh-0:8.0p1-5.el8_2 | * |
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | openssh-0:8.0p1-7.el8_4 | * |
Red Hat Enterprise Linux 8.4 Telecommunications Update Service | RedHat | openssh-0:8.0p1-7.el8_4 | * |
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | RedHat | openssh-0:8.0p1-7.el8_4 | * |
Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | openssh-0:8.0p1-15.el8_6 | * |
Red Hat Enterprise Linux 9 | RedHat | openssh-0:8.7p1-30.el9_2 | * |
Red Hat Enterprise Linux 9 | RedHat | openssh-0:8.7p1-30.el9_2 | * |
Red Hat Enterprise Linux 9.0 Extended Update Support | RedHat | openssh-0:8.7p1-11.el9_0 | * |
Openssh | Ubuntu | bionic | * |
Openssh | Ubuntu | devel | * |
Openssh | Ubuntu | esm-infra/bionic | * |
Openssh | Ubuntu | esm-infra/xenial | * |
Openssh | Ubuntu | fips-preview/jammy | * |
Openssh | Ubuntu | fips-updates/bionic | * |
Openssh | Ubuntu | fips-updates/focal | * |
Openssh | Ubuntu | fips-updates/jammy | * |
Openssh | Ubuntu | fips-updates/xenial | * |
Openssh | Ubuntu | fips/bionic | * |
Openssh | Ubuntu | fips/focal | * |
Openssh | Ubuntu | fips/xenial | * |
Openssh | Ubuntu | focal | * |
Openssh | Ubuntu | jammy | * |
Openssh | Ubuntu | kinetic | * |
Openssh | Ubuntu | lunar | * |
Openssh | Ubuntu | mantic | * |
Openssh | Ubuntu | noble | * |
Openssh | Ubuntu | oracular | * |
Openssh | Ubuntu | trusty | * |
Openssh | Ubuntu | trusty/esm | * |
Openssh | Ubuntu | upstream | * |
Openssh | Ubuntu | xenial | * |
Openssh-ssh1 | Ubuntu | bionic | * |
Openssh-ssh1 | Ubuntu | kinetic | * |
Openssh-ssh1 | Ubuntu | lunar | * |
Openssh-ssh1 | Ubuntu | mantic | * |
Openssh-ssh1 | Ubuntu | upstream | * |