CVE-2021-36368

CWE-287Improper Authentication7 documents7 sources
Severity
3.7LOW
EPSS
0.5%
top 32.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openbsd OpensshDebian Debian Linux
Timeline
PublishedMar 13
Latest updateMar 14

Description

An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "t

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages2 packages

NVDopenbsd/openssh< 8.9
Debianopenssh< 1:8.9p1-1+2

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-542x-jxrc-hw4x: ** DISPUTED ** An issue was discovered in OpenSSH before 82022-03-14
OSV
CVE-2021-36368: An issue was discovered in OpenSSH before 82022-03-13
CVEList
CVE-2021-36368: An issue was discovered in OpenSSH before 82022-03-12

📋Vendor Advisories

3
Red Hat
openssh: possible bypass of fido 2 devices and ssh-askpass2022-03-13
Microsoft
An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose and an attacker has silently modified the server to s2022-03-08
Debian
CVE-2021-36368: openssh - An issue was discovered in OpenSSH before 8.9. If a client is using public-key a...2021
CVE-2021-36368 (LOW CVSS 3.7) | An issue was discovered in OpenSSH | cvebase.io