CVE-2023-51384 — MEDIUM (5.5)

Q: How severe is CVE-2023-51384?

CVE-2023-51384 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-51384?

Check the references section above for vendor advisories and patch information. Affected products include: Openbsd Openssh, Debian Debian Linux.

Vulnerability Description

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Openbsd	Openssh	>= 8.9, < 9.6
Debian	Debian Linux	11.0

References

http://seclists.org/fulldisclosure/2024/Mar/21Mailing ListThird Party Advisory
https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1PatchThird Party Advisory
https://security.netapp.com/advisory/ntap-20240105-0005/Third Party Advisory
https://support.apple.com/kb/HT214084Third Party Advisory
https://www.debian.org/security/2023/dsa-5586Third Party Advisory
https://www.openssh.com/txt/release-9.6Release Notes
https://www.openwall.com/lists/oss-security/2023/12/18/2Mailing ListRelease Notes
http://seclists.org/fulldisclosure/2024/Mar/21Mailing ListThird Party Advisory
https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1PatchThird Party Advisory
https://security.netapp.com/advisory/ntap-20240105-0005/Third Party Advisory
https://support.apple.com/kb/HT214084Third Party Advisory
https://www.debian.org/security/2023/dsa-5586Third Party Advisory
https://www.openssh.com/txt/release-9.6Release Notes
https://www.openwall.com/lists/oss-security/2023/12/18/2Mailing ListRelease Notes
https://cert-portal.siemens.com/productcert/html/ssa-082556.html

FAQ

What is CVE-2023-51384?

CVE-2023-51384 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constr...

How severe is CVE-2023-51384?

CVE-2023-51384 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-51384?

Check the references section above for vendor advisories and patch information. Affected products include: Openbsd Openssh, Debian Debian Linux.