3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
57.7%
DISPUTED An issue was discovered in OpenSSH before 8.9. If a client
is using public-key authentication with agent forwarding but without
-oLogLevel=verbose, and an attacker has silently modified the server to
support the None authentication option, then the user cannot determine
whether FIDO authentication is going to confirm that the user wishes to
connect to that server, or that the user wishes to allow that server to
connect to a different server on the user’s behalf. NOTE: the vendor’s
position is “this is not an authentication bypass, since nothing is being
bypassed.”
Author | Note |
---|---|
seth-arnold | openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. |
mdeslaur | This CVE appears to have been disputed by upstream, marking as not-affected |
bugzilla.mindrot.org/show_bug.cgi?id=3316
docs.ssh-mitm.at/trivialauth.html
github.com/openssh/openssh-portable/pull/258
launchpad.net/bugs/cve/CVE-2021-36368
nvd.nist.gov/vuln/detail/CVE-2021-36368
security-tracker.debian.org/tracker/CVE-2021-36368
www.cve.org/CVERecord?id=CVE-2021-36368
www.openssh.com/security.html
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
57.7%