AZL-9045

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-9045.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-9045

Upstream

CVE-2021-36368

Published

2022-03-13T00:15:07Z

Modified

2026-04-21T04:34:58.498112Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

CVE-2021-36368 affecting package openssh for versions less than 8.9p1-1

Details

An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-36368

Affected packages

Azure Linux:2 / openssh

Package

Name: openssh
Purl: pkg:rpm/azure-linux/openssh

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.9p1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-9045.json"