Description
ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/AN2UDTXEUSKFIOIYMV6JNI5VSBMYZOFT/
Mailing List, Release Notes
https://www.openwall.com/lists/oss-security/2023/03/15/8
Third Party Advisory
https://security.netapp.com/advisory/ntap-20230413-0008/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202307-01
Third Party Advisory vendor-advisory
https://www.debian.org/security/2023/dsa-5586
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AN2UDTXEUSKFIOIYMV6JNI5VSBMYZOFT/
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-082556.html
Scores
CVSS v3
9.8
EPSS
0.0039
EPSS Percentile
60.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (4)
netapp/brocade_fabric_operating_system
netapp/hci_bootstrap_os
netapp/solidfire_element_os
openbsd/openssh
8.9 - 9.3
Published
Mar 17, 2023
Tracked Since
Feb 18, 2026