CVE-2014-2532
Published: 18 March 2014
sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openssh Launchpad, Ubuntu, Debian |
lucid |
Released
(1:5.3p1-3ubuntu7.1)
|
| precise |
Released
(1:5.9p1-5ubuntu1.2)
|
|
| quantal |
Released
(1:6.0p1-3ubuntu1.1)
|
|
| saucy |
Released
(1:6.2p2-6ubuntu0.2)
|
|
| upstream |
Released
(6.6p1)
|
|
|
Patches: upstream: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.270;r2=1.271 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4.9 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | None |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N |