CVE-2016-7406 — Improper Input Validation in Dropbear

CWE-20 — Improper Input Validation5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

25.3%

top 3.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dropbear SSH Project Dropbear SSH Debian Dropbear

Timeline

PublishedMar 3

Latest updateMay 17

Description

Format string vulnerability in Dropbear SSH before 2016.74 allows remote attackers to execute arbitrary code via format string specifiers in the (1) username or (2) host argument.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/dropbear< dropbear 2016.74-1 (bookworm)

▶Debiandropbear_ssh_project/dropbear_ssh< 2016.74-1+3

▶NVDdropbear_ssh_project/dropbear_ssh2016.73

Patches

Patch: www.openwall.com ↗Patch: secure.ucc.asn.au ↗Patch: security.gentoo.org ↗

🔴Vulnerability Details

GHSA

GHSA-jvpx-9hv9-4qf6: Format string vulnerability in Dropbear SSH before 2016↗2022-05-17

▶

OSV

CVE-2016-7406: Format string vulnerability in Dropbear SSH before 2016↗2017-03-03

▶

📋Vendor Advisories

Debian

CVE-2016-7406: dropbear - Format string vulnerability in Dropbear SSH before 2016.74 allows remote attacke...↗2016

▶

💬Community

Bugzilla

CVE-2016-7406 CVE-2016-7407 CVE-2016-7408 CVE-2016-7409 dropbear: Multiple issues fixed in dropbear 2016.74↗2016-09-15

▶