Openssh Security Vulnerabilities and Issues — Openssh CVE List

Lucene search

OpenbsdOpenssh

16 matches found

CVE•added 2019/01/31 6:29 p.m.•5196 views

CVE-2019-6110

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

6.8CVSS6.2AI score0.45173EPSS

CVE•added 2019/01/31 6:29 p.m.•4578 views

CVE-2019-6109

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This a...

6.8CVSS6.7AI score0.08063EPSS

CVE•added 2023/12/18 7:15 p.m.•4536 views

CVE-2023-51385

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or hos...

6.5CVSS7.1AI score0.096EPSS

CVE•added 2015/08/24 1:59 a.m.•3222 views

CVE-2015-6564

Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.

6.9CVSS5.7AI score0.02272EPSS

CVE•added 2016/01/14 10:59 p.m.•3144 views

CVE-2016-0777

The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key.

6.5CVSS6.4AI score0.67203EPSS

CVE•added 2025/02/18 7:15 p.m.•2328 views

CVE-2025-26465

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For ...

6.8CVSS6.7AI score0.52936EPSS

CVE•added 2016/03/22 10:59 a.m.•1071 views

CVE-2016-3115

Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.

6.4CVSS6.8AI score0.45137EPSS

CVE•added 2008/04/02 6:44 p.m.•1008 views

CVE-2008-1657

OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file.

6.5CVSS6.5AI score0.00202EPSS

CVE•added 2023/02/03 6:15 a.m.•807 views

CVE-2023-25136

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-p...

6.5CVSS6.8AI score0.90536EPSS

CVE•added 2009/10/01 3:30 p.m.•425 views

CVE-2009-2904

A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, relate...

6.9CVSS7.5AI score0.00039EPSS

CVE•added 2005/02/20 5:0 a.m.•201 views

CVE-2004-1653

The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS.

6.4CVSS9.1AI score0.00375EPSS

CVE•added 2008/03/24 11:44 p.m.•197 views

CVE-2008-1483

OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.

6.9CVSS5.8AI score0.00135EPSS

CVE•added 2013/11/08 3:55 p.m.•178 views

CVE-2013-4548

The mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH 6.2 and 6.3, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet d...

6CVSS6AI score0.00291EPSS

CVE•added 2008/08/04 10:0 a.m.•128 views

CVE-2004-2760

sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observ...

6.8CVSS6.6AI score0.12913EPSS

CVE•added 2007/10/06 9:0 p.m.•69 views

CVE-2001-1585

SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 2001-01-18 through 2001-02-08, does not perform a challenge-response step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as...

6.8CVSS9.6AI score0.00265EPSS

CVE•added 2008/07/18 4:41 p.m.•53 views

CVE-2008-3234

sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.

6.5CVSS8.9AI score0.02871EPSS