| CVE-2019-16905 |
BDSA-2019-3195 |
High |
Oct 09, 2019 |
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or serve
more...
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
less...
|
7.7
|
| CVE-2018-20685 |
BDSA-2018-4661 |
Medium |
Jan 10, 2019 |
In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. Th
more...
In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.
less...
|
7.7, 7.2, 7.1, 7.0, 6.9, 6.8, 6.7, 6.3, 6.2, 6.0
|
| CVE-2018-15919 |
BDSA-2018-2986 |
Medium |
Aug 28, 2018 |
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system w
more...
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'
less...
|
7.7, 7.2, 7.1, 7.0, 6.9, 6.8, 6.7, 6.3, 6.2, 6.0
|
| CVE-2018-15473 |
BDSA-2018-2820 |
Medium |
Aug 17, 2018 |
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet
more...
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
less...
|
7.7, 7.2, 7.1, 7.0, 6.9, 6.8, 6.7, 6.3, 6.2, 6.0
|
| CVE-2016-20012 |
BDSA-2016-1729 |
Medium |
Sep 15, 2021 |
OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to t
more...
OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product
less...
|
7.7, 7.2, 7.1, 7.0, 6.9, 6.8, 6.7, 6.3, 6.2, 6.0
|
| BDSA-2023-3560 |
|
Medium |
Dec 28, 2023 |
OpenSSH is vulnerable to a specific [Rowhammer](https://en.wikipedia.org/wiki/Row_hammer) attack when running on a machine with most (89%) types of DRA
more...
OpenSSH is vulnerable to a specific [Rowhammer](https://en.wikipedia.org/wiki/Row_hammer) attack when running on a machine with most (89%) types of DRAM memory. This class of attack has been called "Mayhem". An attacker with local access to the machine could leverage this to bypass OpenSSH's authentication, leading to privilege escalation.
**Note**: an OpenSSH developer has stated the following regarding the exploitability of this issue:
> This attack was not demonstrated against stock OpenSSH, but instead against a modified sshd that had extra synchronisation added to make the attack easier. AFAIK achieving the timing required to successfully exploit is close to impossible in the real world.
> ...
> Nobody has demonstrated this attack against a configuration remotely approximating real-world conditions. We consider rowhammer mitigation to the job of the platform, not userspace software.
less...
|
|
| BDSA-2020-1286 |
|
Low |
Jun 05, 2020 |
OpenSSH is vulnerable to the overwriting of files due to the possibility of the file transfer mechanism becoming unsynchronized. A remote attacker coul
more...
OpenSSH is vulnerable to the overwriting of files due to the possibility of the file transfer mechanism becoming unsynchronized. A remote attacker could exploit this to write arbitrary files into the transfer glob or directory that has been specified by the victim. The attacker would have to trick a victim into connecting to a malicious peer containing a crafted file system to achieve this.
It should be noted that this vulnerability is not exploitable under normal circumstances, as a configuration must exist that will cause the `utimes` system call to fail.
less...
|
|
| BDSA-2020-0264 |
|
Medium |
Feb 14, 2020 |
OpenSSH is vulnerable to SHA1 collision attacks. This is a known vulnerability against the SHA1 algorithm that can be abused by an attacker to break e
more...
OpenSSH is vulnerable to SHA1 collision attacks. This is a known vulnerability against the SHA1 algorithm that can be abused by an attacker to break encryption.
less...
|
|
| BDSA-2016-1582 |
|
High |
Dec 12, 2018 |
An untrusted search path vulnerability has been discovered in OpenSSH. An attacker could exploit this vulnerability by leveraging the control of the fo
more...
An untrusted search path vulnerability has been discovered in OpenSSH. An attacker could exploit this vulnerability by leveraging the control of the forwarded agent-socket to execute arbitrary code against the system as the privileged ssh-agent.
less...
|
|
