rpm package
almalinux/openssh-cavs
pkg:rpm/almalinux/openssh-cavs
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-35414 | Med | 4.2 | < 8.0p1-29.el8_10 | 8.0p1-29.el8_10 | Apr 2, 2026 | OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. | |
| CVE-2026-35388 | Low | 2.5 | < 8.0p1-29.el8_10 | 8.0p1-29.el8_10 | Apr 2, 2026 | OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. | |
| CVE-2026-35387 | Low | 3.1 | < 8.0p1-29.el8_10 | 8.0p1-29.el8_10 | Apr 2, 2026 | OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. | |
| CVE-2026-35386 | Low | 3.6 | < 8.0p1-29.el8_10 | 8.0p1-29.el8_10 | Apr 2, 2026 | In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. | |
| CVE-2026-35385 | Hig | 7.5 | < 8.0p1-29.el8_10 | 8.0p1-29.el8_10 | Apr 2, 2026 | In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). | |
| CVE-2026-3497 | Hig | 7.5 | < 8.0p1-28.el8_10 | 8.0p1-28.el8_10 | Mar 12, 2026 | Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does | |
| CVE-2025-61985 | Low | 3.6 | < 8.0p1-27.el8_10 | 8.0p1-27.el8_10 | Oct 6, 2025 | ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. | |
| CVE-2025-61984 | Low | 3.6 | < 8.0p1-27.el8_10 | 8.0p1-27.el8_10 | Oct 6, 2025 | ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file | |
| CVE-2025-26465 | Med | 6.8 | < 8.0p1-26.el8_10 | 8.0p1-26.el8_10 | Feb 18, 2025 | A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying | |
| CVE-2023-51385 | Med | 6.5 | < 8.0p1-19.el8_9.2 | 8.0p1-19.el8_9.2 | Dec 18, 2023 | In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in | |
| CVE-2023-48795 | Med | 5.9 | < 8.0p1-19.el8_9.2 | 8.0p1-19.el8_9.2 | Dec 18, 2023 | The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end | |
| CVE-2023-38408 | — | < 8.0p1-19.el8_8 | 8.0p1-19.el8_8 | Jul 20, 2023 | The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this is | ||
| CVE-2021-41617 | Hig | 7.0 | < 8.0p1-13.el8 | 8.0p1-13.el8 | Sep 26, 2021 | sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges | |
| CVE-2020-15778 | — | < 8.0p1-24.el8 | 8.0p1-24.el8 | Jul 24, 2020 | scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that |
- affected < 8.0p1-29.el8_10fixed 8.0p1-29.el8_10
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
- affected < 8.0p1-29.el8_10fixed 8.0p1-29.el8_10
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
- affected < 8.0p1-29.el8_10fixed 8.0p1-29.el8_10
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
- affected < 8.0p1-29.el8_10fixed 8.0p1-29.el8_10
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
- affected < 8.0p1-29.el8_10fixed 8.0p1-29.el8_10
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
- affected < 8.0p1-28.el8_10fixed 8.0p1-28.el8_10
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does
- affected < 8.0p1-27.el8_10fixed 8.0p1-27.el8_10
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
- affected < 8.0p1-27.el8_10fixed 8.0p1-27.el8_10
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file
- affected < 8.0p1-26.el8_10fixed 8.0p1-26.el8_10
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying
- affected < 8.0p1-19.el8_9.2fixed 8.0p1-19.el8_9.2
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in
- affected < 8.0p1-19.el8_9.2fixed 8.0p1-19.el8_9.2
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end
- CVE-2023-38408Jul 20, 2023affected < 8.0p1-19.el8_8fixed 8.0p1-19.el8_8
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this is
- affected < 8.0p1-13.el8fixed 8.0p1-13.el8
sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges
- CVE-2020-15778Jul 24, 2020affected < 8.0p1-24.el8fixed 8.0p1-24.el8
scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that