Openssh
Monthly
Privilege-escalation exposure in OpenSSH before 10.3 (fixed in 10.3p1) where scp, when run by root using the legacy SCP protocol flag -O and without -p (preserve mode), may write a downloaded file with setuid or setgid bits set, contrary to user expectation. A malicious or compromised SSH server (or a man-in-the-middle on the transfer) could thereby cause an attacker-controlled binary to land on disk as a setuid/setgid-root executable, enabling local privilege escalation when it is later run. There is no public exploit identified at time of analysis, EPSS is very low (0.04%), and CISA SSVC rates exploitation as 'none' though technical impact as 'total'.
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself.
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.
A flaw was found in the OpenSSH package. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 42.5% and no vendor patch available.
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to exploit a signal handler race condition by failing to authenticate within the LoginGraceTime window, potentially yielding root-level code execution on glibc-based Linux systems. The flaw - widely known as 'regreSSHion' - affects numerous distributions and vendor appliances including Ubuntu 23.10/24.04, AlmaLinux 9, SonicWall SMA firmware, Arista EOS, NetApp ONTAP, and others. Publicly available exploit code exists and EPSS scores it at 48.06% (98th percentile), reflecting very high exploitation likelihood, though it is not currently listed in CISA KEV.
Privilege-escalation exposure in OpenSSH before 10.3 (fixed in 10.3p1) where scp, when run by root using the legacy SCP protocol flag -O and without -p (preserve mode), may write a downloaded file with setuid or setgid bits set, contrary to user expectation. A malicious or compromised SSH server (or a man-in-the-middle on the transfer) could thereby cause an attacker-controlled binary to land on disk as a setuid/setgid-root executable, enabling local privilege escalation when it is later run. There is no public exploit identified at time of analysis, EPSS is very low (0.04%), and CISA SSVC rates exploitation as 'none' though technical impact as 'total'.
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself.
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.
A flaw was found in the OpenSSH package. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 42.5% and no vendor patch available.
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to exploit a signal handler race condition by failing to authenticate within the LoginGraceTime window, potentially yielding root-level code execution on glibc-based Linux systems. The flaw - widely known as 'regreSSHion' - affects numerous distributions and vendor appliances including Ubuntu 23.10/24.04, AlmaLinux 9, SonicWall SMA firmware, Arista EOS, NetApp ONTAP, and others. Publicly available exploit code exists and EPSS scores it at 48.06% (98th percentile), reflecting very high exploitation likelihood, though it is not currently listed in CISA KEV.