CVE-2001-1585 — Improper Authentication in Openssh

CWE-287 — Improper Authentication4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

0.4%

top 42.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openbsd Openssh

Timeline

PublishedDec 31

Latest updateApr 30

Description

SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 2001-01-18 through 2001-02-08, does not perform a challenge-response step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as other users by supplying a public key from that user's authorized_keys file.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDopenbsd/openssh2.3.1

Patches

Patch: online.securityfocus.com ↗Patch: www.openbsd.org ↗Patch: online.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-3rg7-4f6m-6x73: SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2↗2022-04-30

▶

CVEList

CVE-2001-1585: SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2↗2007-10-06

▶

📋Vendor Advisories

Debian

CVE-2001-1585: openssh - SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot...↗2001

▶