Vulnerabilities (CVE)

Filtered by vendor Openbsd Subscribe
Filtered by product Openssh
Total 103 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-16905 1 Openbsd 1 Openssh 2021-07-21 4.4 MEDIUM 7.8 HIGH
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
CVE-2020-14145 2 Netapp, Openbsd 10 Active Iq Unified Manager, Aff A700s, Aff A700s Firmware and 7 more 2021-07-21 4.3 MEDIUM 5.9 MEDIUM
The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.
CVE-2021-28041 3 Fedoraproject, Netapp, Openbsd 9 Fedora, Cloud Backup, Hci Compute Node and 6 more 2021-07-20 4.6 MEDIUM 7.1 HIGH
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2020-15778 3 Broadcom, Netapp, Openbsd 10 Fabric Operating System, A700s, A700s Firmware and 7 more 2021-06-22 6.8 MEDIUM 7.8 HIGH
** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
CVE-2007-2768 2 Netapp, Openbsd 5 Hci Management Node, Hci Storage Node, Solidfire and 2 more 2021-04-01 4.3 MEDIUM N/A
OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.
CVE-2019-6109 5 Canonical, Debian, Netapp and 2 more 7 Ubuntu Linux, Debian Linux, Element Software and 4 more 2020-08-24 4.0 MEDIUM 6.8 MEDIUM
An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.
CVE-2017-15906 1 Openbsd 1 Openssh 2020-08-24 5.0 MEDIUM 5.3 MEDIUM
The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
CVE-2019-6111 5 Canonical, Debian, Openbsd and 2 more 5 Ubuntu Linux, Debian Linux, Openssh and 2 more 2020-08-24 5.8 MEDIUM 5.9 MEDIUM
An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).
CVE-2019-6110 3 Netapp, Openbsd, Winscp 5 Element Software, Ontap Select Deploy, Storage Automation Store and 2 more 2020-08-24 4.0 MEDIUM 6.8 MEDIUM
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
CVE-2018-20685 7 Canonical, Debian, Netapp and 4 more 11 Ubuntu Linux, Debian Linux, Cloud Backup and 8 more 2020-08-24 2.6 LOW 5.3 MEDIUM
In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.
CVE-2018-15473 5 Canonical, Debian, Netapp and 2 more 21 Ubuntu Linux, Debian Linux, Aff Baseboard Management Controller and 18 more 2020-08-24 5.0 MEDIUM 5.3 MEDIUM
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
CVE-2020-12062 1 Openbsd 1 Openssh 2020-06-04 5.0 MEDIUM 7.5 HIGH
** DISPUTED ** The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances."
CVE-2014-1692 1 Openbsd 1 Openssh 2020-02-04 7.5 HIGH N/A
The hash_buffer function in schnorr.c in OpenSSH through 6.4, when is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition.
CVE-2016-0777 5 Apple, Hp, Openbsd and 2 more 7 Mac Os X, Remote Device Access Virtual Customer Access System, Openssh and 4 more 2019-12-27 4.0 MEDIUM 6.5 MEDIUM
The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key.
CVE-2016-0778 5 Apple, Hp, Openbsd and 2 more 6 Mac Os X, Virtual Customer Access System, Openssh and 3 more 2019-12-27 4.6 MEDIUM 8.1 HIGH
The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings.
CVE-2013-4548 1 Openbsd 1 Openssh 2019-10-09 6.0 MEDIUM N/A
The mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH 6.2 and 6.3, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address.
CVE-2016-10708 4 Canonical, Debian, Netapp and 1 more 12 Ubuntu Linux, Debian Linux, Cloud Backup and 9 more 2019-06-26 5.0 MEDIUM 7.5 HIGH
sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.
CVE-2015-6563 2 Apple, Openbsd 2 Mac Os X, Openssh 2019-03-26 1.9 LOW N/A
The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.
CVE-2015-6564 1 Openbsd 1 Openssh 2019-03-26 6.9 MEDIUM N/A
Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.
CVE-2018-15919 2 Netapp, Openbsd 7 Cloud Backup, Cn1610, Cn1610 Firmware and 4 more 2019-03-07 5.0 MEDIUM 5.3 MEDIUM
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'