Upstream information
Description
OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
| National Vulnerability Database | |
|---|---|
| Base Score | 6.5 |
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | Single |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Note from the SUSE Security Team
SUSE Linux Enterprise 10 SP 3 and earlier included versions up to openssh 4.2p1, which are not affected by this problem. SUSE Linux Enterprise 10 SP4 and later versions include versions of openssh 5.1p1 and later, which are no longer affected by this problem. As we had no shipping openssh on SUSE Linux Enterprise in the affected range of 4.4 up to 4.9, we did not need to release updates. Updates for openSUSE 10.2 and 10.3 have been released. SUSE Bugzilla entry: 376668 [RESOLVED / FIXED]SUSE Security Advisories:
- SUSE-SR:2008:009, published Fri, 11 Apr 2008 15:00:00 +0000
- TID7022102, published Sat Mar 3 09:45:41 UTC 2018
SUSE Timeline for this CVE
CVE page created: Fri Jun 28 03:39:22 2013CVE page last modified: Fri Dec 8 16:25:50 2023