OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.
Max CVSS
7.0
EPSS Score
0.05%
Published
2023-12-24
Updated
2024-02-27
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Max CVSS
9.8
EPSS Score
3.00%
Published
2023-07-20
Updated
2023-12-22
A double free or use after free could occur after SSL_clear in OpenBSD 7.2 before errata 026 and 7.3 before errata 004, and in LibreSSL before 3.6.3 and 3.7.x before 3.7.3. NOTE: OpenSSL is not affected.
Max CVSS
9.8
EPSS Score
0.06%
Published
2023-06-16
Updated
2023-11-06
ascii_load_sockaddr in smtpd in OpenBSD before 7.1 errata 024 and 7.2 before errata 020, and OpenSMTPD Portable before 7.0.0-portable commit f748277, can abort upon a connection from a local, scoped IPv6 address.
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-04-04
Updated
2023-05-26
ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.
Max CVSS
9.8
EPSS Score
0.09%
Published
2023-03-17
Updated
2024-02-12
In OpenBSD 7.2, a TCP packet with destination port 0 that matches a pf divert-to rule can crash the kernel.
Max CVSS
7.5
EPSS Score
0.09%
Published
2023-03-03
Updated
2023-04-06
slaacd in OpenBSD 6.9 and 7.0 before 2022-03-22 has an integer signedness error and resultant heap-based buffer overflow triggerable by a crafted IPv6 router advertisement. NOTE: privilege separation and pledge can prevent exploitation.
Max CVSS
7.5
EPSS Score
0.18%
Published
2022-03-25
Updated
2022-05-12
engine.c in slaacd in OpenBSD 6.9 and 7.0 before 2022-02-21 has a buffer overflow triggerable by an IPv6 router advertisement with more than seven nameservers. NOTE: privilege separation and pledge can prevent exploitation.
Max CVSS
7.5
EPSS Score
0.12%
Published
2022-03-25
Updated
2022-05-12
x509/x509_verify.c in LibreSSL before 3.4.2, and OpenBSD before 7.0 errata 006, allows authentication bypass because an error for an unverified certificate chain is sometimes discarded.
Max CVSS
9.8
EPSS Score
0.07%
Published
2023-04-15
Updated
2023-05-17
sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.
Max CVSS
7.0
EPSS Score
0.06%
Published
2021-09-26
Updated
2023-12-26
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
Max CVSS
7.1
EPSS Score
0.18%
Published
2021-03-05
Updated
2022-05-20
iked in OpenIKED, as used in OpenBSD through 6.7, allows authentication bypass because ca.c has the wrong logic for checking whether a public key matches.
Max CVSS
9.8
EPSS Score
0.52%
Published
2020-07-28
Updated
2022-01-04
scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
Max CVSS
7.8
EPSS Score
0.29%
Published
2020-07-24
Updated
2024-03-21
The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances.
Max CVSS
7.5
EPSS Score
0.13%
Published
2020-06-01
Updated
2024-03-21

CVE-2020-7247

Known exploited
Public exploit
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
Max CVSS
10.0
EPSS Score
97.50%
Published
2020-01-29
Updated
2022-04-29
CISA KEV Added
2022-03-25
LibreSSL 2.9.1 through 3.2.1 has an out-of-bounds read in asn1_item_print_ctx (called from asn1_template_print_ctx).
Max CVSS
7.1
EPSS Score
0.15%
Published
2021-07-01
Updated
2021-07-08
LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read in do_print_ex (called from asn1_item_print_ctx and ASN1_item_print).
Max CVSS
7.1
EPSS Score
0.15%
Published
2021-07-01
Updated
2021-07-08

CVE-2019-19726

Public exploit
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
Max CVSS
7.8
EPSS Score
0.06%
Published
2019-12-12
Updated
2023-10-06
OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root.
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-12-05
Updated
2020-08-24
libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c).
Max CVSS
9.8
EPSS Score
1.47%
Published
2019-12-05
Updated
2019-12-12
xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-12-05
Updated
2020-08-24
In OpenBSD 6.6, local users can use the su -L option to achieve any login class (often excluding root) because there is a logic error in the main function in su/su.c.
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-12-05
Updated
2021-07-21
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
Max CVSS
7.8
EPSS Score
0.05%
Published
2019-10-09
Updated
2023-03-01
A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.
Max CVSS
7.4
EPSS Score
0.05%
Published
2019-12-11
Updated
2023-03-01
OpenBSD kernel version <= 6.5 can be forced to create long chains of TCP SACK holes that causes very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service.
Max CVSS
7.5
EPSS Score
0.27%
Published
2019-08-26
Updated
2021-08-02
143 vulnerabilities found
1 2 3 4 5 6
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!