CVE-2023-25136

{"id": "CVE-2023-25136", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.2}]}, "published": "2023-02-03T06:15:09.350", "references": [{"url": "http://www.openwall.com/lists/oss-security/2023/02/13/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2023/02/22/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2023/02/22/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2023/02/23/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2023/03/06/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2023/03/09/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://bugzilla.mindrot.org/show_bug.cgi?id=3522", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/", "source": "cve@mitre.org"}, {"url": "https://news.ycombinator.com/item?id=34711565", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202307-01", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20230309-0003/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.openwall.com/lists/oss-security/2023/02/02/2", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-415"}]}], "descriptions": [{"lang": "en", "value": "OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states \"remote code execution is theoretically possible.\""}, {"lang": "es", "value": "OpenSSH server (sshd) v9.1 introdujo una vulnerabilidad de doble liberaci\u00f3n durante el manejo de \"options.key_algorithms\". Esto se ha corregido en OpenSSH v9.2. La doble liberaci\u00f3n puede ser aprovechada por un atacante remoto no autenticado en la configuraci\u00f3n por defecto, para saltar a cualquier ubicaci\u00f3n en el espacio de direcciones de sshd. Un informe de terceros afirma que \"la ejecuci\u00f3n remota de c\u00f3digo es te\u00f3ricamente posible\"."}], "lastModified": "2024-02-27T15:15:14.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:9.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "779485D0-83A2-404C-9477-82BDE8D63A40"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:netapp:a250_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1236B66D-EB11-4324-929F-E2B86683C3C7"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:netapp:a250:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "281DFC67-46BB-4FC2-BE03-3C65C9311F65"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:netapp:500f_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ECF32BB1-9A58-4821-AE49-5D5C8200631F"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:netapp:500f:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F21DE67F-CDFD-4D36-9967-633CD0240C6F"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:netapp:c250_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1AB1EC2-2560-494A-A51B-6F20CE318FEB"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:netapp:c250:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "58DE2B52-4E49-4CD0-9310-00291B0352C7"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}