CVE-2014-2532
Published: 18 March 2014
sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
Priority
Status
Package | Release | Status |
---|---|---|
openssh Launchpad, Ubuntu, Debian |
lucid |
Released
(1:5.3p1-3ubuntu7.1)
|
precise |
Released
(1:5.9p1-5ubuntu1.2)
|
|
quantal |
Released
(1:6.0p1-3ubuntu1.1)
|
|
saucy |
Released
(1:6.2p2-6ubuntu0.2)
|
|
upstream |
Released
(6.6p1)
|
|
Patches: upstream: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.270;r2=1.271 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 4.9 |
Attack vector | Network |
Attack complexity | High |
Privileges required | Low |
User interaction | None |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N |