CVE-2007-4752
published 2007-09-12CVE-2007-4752: ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to…
PriorityP273high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.37%
81.7th percentile
ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | < openssh 1:4.7p1-1 (bookworm) | openssh 1:4.7p1-1 (bookworm) |
| openbsd | openssh | <= 4.6 | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | >= 0 < 1:4.7p1-1 | 1:4.7p1-1 |
| openbsd | openssh | >= 0 < 1:4.7p1-1 | 1:4.7p1-1 |
| openbsd | openssh | >= 0 < 1:4.7p1-1 | 1:4.7p1-1 |
| openbsd | openssh | >= 0 < 1:4.7p1-1 | 1:4.7p1-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable condition: ssh falls back to using a trusted X11 cookie when generation of an untrusted X11 cookie fails, causing an X client to be treated as trusted — monitor X11 forwarding sessions on OpenSSH versions prior to 4.7 for unexpected trusted-cookie usage ↗
- →The vulnerable code path is in clientloop.c — the fix was applied between revisions 1.180 and 1.181; audit or diff that file on deployed OpenSSH binaries to confirm patch status ↗
- →On RHEL 4 and 5, Trusted X11 forwarding is enabled in the default ssh client configuration as of RHEL 4 Update 1 and is used whenever X11 forwarding is used — any X11-forwarded session on unpatched systems is potentially exploitable ↗
- ·RHEL 2.1 and RHEL 3 are NOT affected because their OpenSSH packages do not support Trusted X11 forwarding at all ↗
- ·The vulnerability only manifests when X11 forwarding is in use and the untrusted cookie creation fails — deployments with X11 forwarding disabled are not exposed ↗
- ·Fixed in OpenSSH 4.7 (Debian package 1:4.7p1-1); systems running OpenSSH >= 4.7 are not vulnerable ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-657x-xg3w-fxx6: ssh in OpenSSH before 4
ghsa_unreviewed·2022-05-01
CVE-2007-4752 [HIGH] CWE-20 GHSA-657x-xg3w-fxx6: ssh in OpenSSH before 4
ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
OSV
CVE-2007-4752: ssh in OpenSSH before 4
osv·2007-09-12·CVSS 7.5
CVE-2007-4752 [HIGH] CVE-2007-4752: ssh in OpenSSH before 4
ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
VulnCheck
OpenBSD openssh Improper Input Validation
vulncheck·2007·CVSS 7.5
CVE-2007-4752 [HIGH] OpenBSD openssh Improper Input Validation
OpenBSD openssh Improper Input Validation
ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
Affected: OpenBSD openssh
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://access.redhat.com/errata/RHSA-2008:0855.html
Ubuntu
OpenSSH vulnerability
vendor_ubuntu·2008-01-09
CVE-2007-4752 OpenSSH vulnerability
Title: OpenSSH vulnerability
Summary: OpenSSH vulnerability
Jan Pechanec discovered that ssh would forward trusted X11 cookies when
untrusted cookie generation failed. This could lead to unintended privileges
being forwarded to a remote host.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
openssh falls back to the trusted x11 cookie if generation of an untrusted cookie fails
vendor_redhat·2007-09-04·CVSS 7.5
CVE-2007-4752 [HIGH] openssh falls back to the trusted x11 cookie if generation of an untrusted cookie fails
openssh falls back to the trusted x11 cookie if generation of an untrusted cookie fails
ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
Statement: This issue did not affect the OpenSSH packages as distributed with Red Hat Enterprise Linux 2.1 or 3, as they do not support Trusted X11 forwarding.
Debian
CVE-2007-4752: openssh - ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cann...
vendor_debian·2007·CVSS 7.5
CVE-2007-4752 [HIGH] CVE-2007-4752: openssh - ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cann...
ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
Scope: local
bookworm: resolved (fixed in 1:4.7p1-1)
bullseye: resolved (fixed in 1:4.7p1-1)
forky: resolved (fixed in 1:4.7p1-1)
sid: resolved (fixed in 1:4.7p1-1)
trixie: resolved (fixed in 1:4.7p1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2007-4752 CVE-2008-1657 openssh multiple issues [Fedora 7]
bugzilla·2007-09-06·CVSS 7.5
CVE-2007-4752 [HIGH] CVE-2007-4752 CVE-2008-1657 openssh multiple issues [Fedora 7]
CVE-2007-4752 CVE-2008-1657 openssh multiple issues [Fedora 7]
F7 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
Ping on this.
---
Added blocks for CVE-2008-1657.
You may use following link to create update request:
https://admin.fedoraproject.org/updates/new/?request=Stable&type=security&release=Fedora%207&bugs=280461,280361,440268
---
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '
Bugzilla
CVE-2007-4752 openssh falls back to the trusted x11 cookie if generation of an untrusted cookie fails
bugzilla·2007-09-06·CVSS 7.5
CVE-2007-4752 [HIGH] CVE-2007-4752 openssh falls back to the trusted x11 cookie if generation of an untrusted cookie fails
CVE-2007-4752 openssh falls back to the trusted x11 cookie if generation of an untrusted cookie fails
OpenSSH release 4.7 fixes following security-related issue:
* Prevent ssh(1) from using a trusted X11 cookie if creation of an
untrusted cookie fails; found and fixed by Jan Pechanec.
OpenSSH 4.7 release notes:
http://openssh.org/txt/release-4.7
Upstream patch:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.180&r2=1.181
Discussion:
The Red Hat Security Response Team has rated this issue as having low
security impact, a future update may address this flaw. More
information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/
This issue did not affect openssh packages as distributed with Red Hat
Enterprise
arXiv
Integrating Network and Attack Graphs for Service-Centric Impact Analysis
arxiv_fulltext·2026-02-11
Integrating Network and Attack Graphs for Service-Centric Impact Analysis
Integrating Network and Attack Graphs for Service-Centric Impact Analysis
Joni Herttuainene1
Vesa Kuikka
Kimmo K. Kaski
e1e-mail: [email protected]
Department of Computer Science, Aalto University School of Science,
P.O. Box 11000, 00076 Aalto, Finland
Received: date / Accepted: date
## Abstract
We present a novel methodology for modelling, visualising, and analysing cyber threats, attack paths, as well as their impact on user services in enterprise or infrastructure networks of digital devices and services they provide. Using probabilistic methods to track the propagation of an attack through attack graphs, via the service or application layers, and on physical communication networks, our model enables us to analyse cyber attacks at different levels of detail. Understanding
http://bugs.gentoo.org/show_bug.cgi?id=191321http://docs.info.apple.com/article.html?artnum=307562http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01271085http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2007-10/msg00008.htmlhttp://secunia.com/advisories/27399http://secunia.com/advisories/29420http://secunia.com/advisories/30249http://secunia.com/advisories/31575http://secunia.com/advisories/32241http://security.gentoo.org/glsa/glsa-200711-02.xmlhttp://securityreason.com/securityalert/3126http://support.avaya.com/elmodocs2/security/ASA-2008-399.htmhttp://www.debian.org/security/2008/dsa-1576http://www.mandriva.com/security/advisories?name=MDKSA-2007:236http://www.openssh.com/txt/release-4.7http://www.redhat.com/support/errata/RHSA-2008-0855.htmlhttp://www.securityfocus.com/archive/1/479760/100/0/threadedhttp://www.securityfocus.com/archive/1/483748/100/200/threadedhttp://www.securityfocus.com/bid/25628http://www.ubuntu.com/usn/usn-566-1http://www.vupen.com/english/advisories/2007/3156http://www.vupen.com/english/advisories/2008/0924/referenceshttp://www.vupen.com/english/advisories/2008/2821https://bugzilla.redhat.com/show_bug.cgi?id=280471https://exchange.xforce.ibmcloud.com/vulnerabilities/36637https://issues.rpath.com/browse/RPL-1706https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10809https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5599https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00214.htmlhttp://bugs.gentoo.org/show_bug.cgi?id=191321http://docs.info.apple.com/article.html?artnum=307562http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01271085http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2007-10/msg00008.htmlhttp://secunia.com/advisories/27399http://secunia.com/advisories/29420http://secunia.com/advisories/30249http://secunia.com/advisories/31575http://secunia.com/advisories/32241http://security.gentoo.org/glsa/glsa-200711-02.xmlhttp://securityreason.com/securityalert/3126http://support.avaya.com/elmodocs2/security/ASA-2008-399.htmhttp://www.debian.org/security/2008/dsa-1576http://www.mandriva.com/security/advisories?name=MDKSA-2007:236http://www.openssh.com/txt/release-4.7http://www.redhat.com/support/errata/RHSA-2008-0855.htmlhttp://www.securityfocus.com/archive/1/479760/100/0/threadedhttp://www.securityfocus.com/archive/1/483748/100/200/threadedhttp://www.securityfocus.com/bid/25628http://www.ubuntu.com/usn/usn-566-1http://www.vupen.com/english/advisories/2007/3156http://www.vupen.com/english/advisories/2008/0924/referenceshttp://www.vupen.com/english/advisories/2008/2821https://bugzilla.redhat.com/show_bug.cgi?id=280471https://exchange.xforce.ibmcloud.com/vulnerabilities/36637https://issues.rpath.com/browse/RPL-1706https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10809https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5599https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00214.html
2007-09-12
Published
Exploited in the wild