CVE-2023-48795

ssh: Prefix truncation attack on Binary Packet Protocol (BPP)

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

El protocolo de transporte SSH con ciertas extensiones OpenSSH, que se encuentra en OpenSSH anterior a 9.6 y otros productos, permite a atacantes remotos eludir las comprobaciones de integridad de modo que algunos paquetes se omiten (del mensaje de negociación de extensión) y, en consecuencia, un cliente y un servidor pueden terminar con una conexión para la cual algunas características de seguridad han sido degradadas o deshabilitadas, también conocido como un ataque Terrapin. Esto ocurre porque SSH Binary Packet Protocol (BPP), implementado por estas extensiones, maneja mal la fase de protocolo de enlace y el uso de números de secuencia. Por ejemplo, existe un ataque eficaz contra ChaCha20-Poly1305 (y CBC con Encrypt-then-MAC). La omisión se produce en chacha20-poly1305@openssh.com y (si se utiliza CBC) en los algoritmos MAC -etm@openssh.com. Esto también afecta a Maverick Synergy Java SSH API anterior a 3.1.0-SNAPSHOT, Dropbear hasta 2022.83, Ssh anterior a 5.1.1 en Erlang/OTP, PuTTY anterior a 0.80 y AsyncSSH anterior a 2.14.2; y podría haber efectos en Bitvise SSH hasta la versión 9.31, libssh hasta la 0.10.5 y golang.org/x/crypto hasta el 17 de diciembre de 2023.

A flaw was found in the SSH channel integrity. By manipulating sequence numbers during the handshake, an attacker can remove the initial messages on the secure channel without causing a MAC failure. For example, an attacker could disable the ping extension and thus disable the new countermeasure in OpenSSH 9.5 against keystroke timing attacks.

*Credits: N/A

CVSS Scores

NISTv3.1 5.9

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-20 CVE Reserved
2023-12-18 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2024-11-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-222: Truncation of Security-relevant Information
CWE-354: Improper Validation of Integrity Check Value

CAPEC

References (120)

URL	Tag	Source
http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html	Third Party Advisory
http://seclists.org/fulldisclosure/2024/Mar/21	Mailing List
http://www.openwall.com/lists/oss-security/2023/12/18/3	Mailing List
http://www.openwall.com/lists/oss-security/2023/12/19/5	Mailing List
http://www.openwall.com/lists/oss-security/2023/12/20/3	Mailing List
http://www.openwall.com/lists/oss-security/2024/03/06/3	Mailing List
http://www.openwall.com/lists/oss-security/2024/04/17/8	Mailing List
https://access.redhat.com/security/cve/cve-2023-48795	Third Party Advisory
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack	Media Coverage
https://bugs.gentoo.org/920280	Issue Tracking
https://bugzilla.suse.com/show_bug.cgi?id=1217950	Issue Tracking
https://crates.io/crates/thrussh/versions	Release Notes
https://filezilla-project.org/versions.php	Release Notes
https://forum.netgate.com/topic/184941/terrapin-ssh-attack	Issue Tracking
https://github.com/NixOS/nixpkgs/pull/275249	Release Notes
https://github.com/PowerShell/Win32-OpenSSH/issues/2189	Issue Tracking
https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta	Release Notes
https://github.com/TeraTermProject/teraterm/releases/tag/v5.1	Release Notes
https://github.com/advisories/GHSA-45x7-px36-x8w8	Third Party Advisory
https://github.com/apache/mina-sshd/issues/445	Issue Tracking
https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22	Third Party Advisory
https://github.com/cyd01/KiTTY/issues/520	Issue Tracking
https://github.com/drakkan/sftpgo/releases/tag/v2.5.6	Release Notes
https://github.com/erlang/otp/releases/tag/OTP-26.2.1	Release Notes
https://github.com/hierynomus/sshj/issues/916	Issue Tracking
https://github.com/janmojzis/tinyssh/issues/81	Issue Tracking
https://github.com/libssh2/libssh2/pull/1291	Mitigation
https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15	Product
https://github.com/mwiede/jsch/issues/457	Issue Tracking
https://github.com/mwiede/jsch/pull/461	Release Notes
https://github.com/paramiko/paramiko/issues/2337	Issue Tracking
https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES	Release Notes
https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES	Release Notes
https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES	Release Notes
https://github.com/proftpd/proftpd/issues/456	Issue Tracking
https://github.com/rapier1/hpn-ssh/releases	Release Notes
https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst	Release Notes
https://github.com/ronf/asyncssh/tags	Release Notes
https://github.com/ssh-mitm/ssh-mitm/issues/165	Issue Tracking
https://github.com/warp-tech/russh/releases/tag/v0.40.2	Release Notes
https://gitlab.com/libssh/libssh-mirror/-/tags	Release Notes
https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ	Mailing List
https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg	Mailing List
https://help.panic.com/releasenotes/transmit5	Release Notes
https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795	Media Coverage
https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html	Mailing List
https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html	Mailing List
https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html	Mailing List
https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html	Mailing List
https://matt.ucc.asn.au/dropbear/CHANGES	Release Notes
https://news.ycombinator.com/item?id=38684904	Issue Tracking
https://news.ycombinator.com/item?id=38685286	Issue Tracking
https://news.ycombinator.com/item?id=38732005	Issue Tracking
https://nova.app/releases/#v11.8	Release Notes
https://oryx-embedded.com/download/#changelog	Release Notes
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002	Third Party Advisory
https://roumenpetrov.info/secsh/#news20231220	Release Notes
https://security-tracker.debian.org/tracker/source-package/trilead-ssh2	Issue Tracking
https://security.netapp.com/advisory/ntap-20240105-0004	Third Party Advisory
https://support.apple.com/kb/HT214084	Third Party Advisory
https://thorntech.com/cve-2023-48795-and-sftp-gateway	Third Party Advisory
https://twitter.com/TrueSkrillor/status/1736774389725565005	Media Coverage
https://winscp.net/eng/docs/history#6.2.2	Release Notes
https://www.bitvise.com/ssh-client-version-history#933	Release Notes
https://www.bitvise.com/ssh-server-version-history	Release Notes
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html	Release Notes
https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update	Release Notes
https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc	Release Notes
https://www.netsarang.com/en/xshell-update-history	Release Notes
https://www.openssh.com/openbsd.html	Release Notes
https://www.openssh.com/txt/release-9.6	Release Notes
https://www.openwall.com/lists/oss-security/2023/12/18/2	Mailing List
https://www.openwall.com/lists/oss-security/2023/12/20/3	Mailing List
https://www.paramiko.org/changelog.html	Release Notes
https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed	Issue Tracking
https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795	Media Coverage
https://www.theregister.com/2023/12/20/terrapin_attack_ssh	Media Coverage
https://www.vandyke.com/products/securecrt/history.txt	Release Notes

URL	Date	SRC
https://www.terrapin-attack.com	2024-08-02

URL	Date	SRC
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6	2024-05-01
https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0	2024-05-01
https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab	2024-05-01
https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42	2024-05-01
https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d	2024-05-01
https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5	2024-05-01
https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25	2024-05-01
https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3	2024-05-01
https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16	2024-05-01
https://github.com/openssh/openssh-portable/commits/master	2024-05-01
https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC	2024-05-01

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=2254210	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB	2024-05-01
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7	2024-05-01
https://security-tracker.debian.org/tracker/CVE-2023-48795	2024-05-01
https://security-tracker.debian.org/tracker/source-package/libssh2	2024-05-01
https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg	2024-05-01
https://security.gentoo.org/glsa/202312-16	2024-05-01
https://security.gentoo.org/glsa/202312-17	2024-05-01
https://ubuntu.com/security/CVE-2023-48795	2024-05-01
https://www.debian.org/security/2023/dsa-5586	2024-05-01
https://www.debian.org/security/2023/dsa-5588	2024-05-01
https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508	2024-05-01
https://access.redhat.com/security/cve/CVE-2023-48795	2024-10-23
https://access.redhat.com/solutions/7071748	2024-10-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Panic Search vendor "Panic"	Transmit 5 Search vendor "Panic" for product "Transmit 5"	< 5.10.4 Search vendor "Panic" for product "Transmit 5" and version " < 5.10.4"	-	Affected	in	Apple Search vendor "Apple"	Macos Search vendor "Apple" for product "Macos"	-	-	Safe
Panic Search vendor "Panic"	Nova Search vendor "Panic" for product "Nova"	< 11.8 Search vendor "Panic" for product "Nova" and version " < 11.8"	-	Affected	in	Apple Search vendor "Apple"	Macos Search vendor "Apple" for product "Macos"	-	-	Safe
Gentoo Search vendor "Gentoo"	Security Search vendor "Gentoo" for product "Security"	-	-	Affected	in	Debian Search vendor "Debian"	Debian Linux Search vendor "Debian" for product "Debian Linux"	-	-	Safe
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				< 9.6 Search vendor "Openbsd" for product "Openssh" and version " < 9.6"		-		Affected
Putty Search vendor "Putty"		Putty Search vendor "Putty" for product "Putty"				< 0.80 Search vendor "Putty" for product "Putty" and version " < 0.80"		-		Affected
Filezilla-project Search vendor "Filezilla-project"		Filezilla Client Search vendor "Filezilla-project" for product "Filezilla Client"				< 3.66.4 Search vendor "Filezilla-project" for product "Filezilla Client" and version " < 3.66.4"		-		Affected
Microsoft Search vendor "Microsoft"		Powershell Search vendor "Microsoft" for product "Powershell"				<= 11.1.0 Search vendor "Microsoft" for product "Powershell" and version " <= 11.1.0"		-		Affected
Roumenpetrov Search vendor "Roumenpetrov"		Pkixssh Search vendor "Roumenpetrov" for product "Pkixssh"				< 14.4 Search vendor "Roumenpetrov" for product "Pkixssh" and version " < 14.4"		-		Affected
Winscp Search vendor "Winscp"		Winscp Search vendor "Winscp" for product "Winscp"				< 6.2.2 Search vendor "Winscp" for product "Winscp" and version " < 6.2.2"		-		Affected
Bitvise Search vendor "Bitvise"		Ssh Client Search vendor "Bitvise" for product "Ssh Client"				< 9.33 Search vendor "Bitvise" for product "Ssh Client" and version " < 9.33"		-		Affected
Bitvise Search vendor "Bitvise"		Ssh Server Search vendor "Bitvise" for product "Ssh Server"				< 9.32 Search vendor "Bitvise" for product "Ssh Server" and version " < 9.32"		-		Affected
Lancom-systems Search vendor "Lancom-systems"		Lcos Search vendor "Lancom-systems" for product "Lcos"				<= 3.66.4 Search vendor "Lancom-systems" for product "Lcos" and version " <= 3.66.4"		-		Affected
Lancom-systems Search vendor "Lancom-systems"		Lcos Fx Search vendor "Lancom-systems" for product "Lcos Fx"				-		-		Affected
Lancom-systems Search vendor "Lancom-systems"		Lcos Lx Search vendor "Lancom-systems" for product "Lcos Lx"				-		-		Affected
Lancom-systems Search vendor "Lancom-systems"		Lcos Sx Search vendor "Lancom-systems" for product "Lcos Sx"				4.20 Search vendor "Lancom-systems" for product "Lcos Sx" and version "4.20"		-		Affected
Lancom-systems Search vendor "Lancom-systems"		Lcos Sx Search vendor "Lancom-systems" for product "Lcos Sx"				5.20 Search vendor "Lancom-systems" for product "Lcos Sx" and version "5.20"		-		Affected
Lancom-systems Search vendor "Lancom-systems"		Lanconfig Search vendor "Lancom-systems" for product "Lanconfig"				-		-		Affected
Vandyke Search vendor "Vandyke"		Securecrt Search vendor "Vandyke" for product "Securecrt"				< 9.4.3 Search vendor "Vandyke" for product "Securecrt" and version " < 9.4.3"		-		Affected
Libssh Search vendor "Libssh"		Libssh Search vendor "Libssh" for product "Libssh"				< 0.10.6 Search vendor "Libssh" for product "Libssh" and version " < 0.10.6"		-		Affected
Net-ssh Search vendor "Net-ssh"		Net-ssh Search vendor "Net-ssh" for product "Net-ssh"				7.2.0 Search vendor "Net-ssh" for product "Net-ssh" and version "7.2.0"		ruby		Affected
Ssh2 Project Search vendor "Ssh2 Project"		Ssh2 Search vendor "Ssh2 Project" for product "Ssh2"				<= 1.11.0 Search vendor "Ssh2 Project" for product "Ssh2" and version " <= 1.11.0"		node.js		Affected
Proftpd Search vendor "Proftpd"		Proftpd Search vendor "Proftpd" for product "Proftpd"				<= 1.3.8b Search vendor "Proftpd" for product "Proftpd" and version " <= 1.3.8b"		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				<= 12.4 Search vendor "Freebsd" for product "Freebsd" and version " <= 12.4"		-		Affected
Crates Search vendor "Crates"		Thrussh Search vendor "Crates" for product "Thrussh"				< 0.35.1 Search vendor "Crates" for product "Thrussh" and version " < 0.35.1"		-		Affected
Tera Term Project Search vendor "Tera Term Project"		Tera Term Search vendor "Tera Term Project" for product "Tera Term"				<= 5.1 Search vendor "Tera Term Project" for product "Tera Term" and version " <= 5.1"		-		Affected
Oryx-embedded Search vendor "Oryx-embedded"		Cyclone Ssh Search vendor "Oryx-embedded" for product "Cyclone Ssh"				< 2.3.4 Search vendor "Oryx-embedded" for product "Cyclone Ssh" and version " < 2.3.4"		-		Affected
Crushftp Search vendor "Crushftp"		Crushftp Search vendor "Crushftp" for product "Crushftp"				<= 10.6.0 Search vendor "Crushftp" for product "Crushftp" and version " <= 10.6.0"		-		Affected
Netsarang Search vendor "Netsarang"		Xshell 7 Search vendor "Netsarang" for product "Xshell 7"				< build__0144 Search vendor "Netsarang" for product "Xshell 7" and version " < build__0144"		-		Affected
Paramiko Search vendor "Paramiko"		Paramiko Search vendor "Paramiko" for product "Paramiko"				< 3.4.0 Search vendor "Paramiko" for product "Paramiko" and version " < 3.4.0"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				4.0 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.0"		-		Affected
Redhat Search vendor "Redhat"		Openstack Platform Search vendor "Redhat" for product "Openstack Platform"				16.1 Search vendor "Redhat" for product "Openstack Platform" and version "16.1"		-		Affected
Redhat Search vendor "Redhat"		Openstack Platform Search vendor "Redhat" for product "Openstack Platform"				16.2 Search vendor "Redhat" for product "Openstack Platform" and version "16.2"		-		Affected
Redhat Search vendor "Redhat"		Openstack Platform Search vendor "Redhat" for product "Openstack Platform"				17.1 Search vendor "Redhat" for product "Openstack Platform" and version "17.1"		-		Affected
Redhat Search vendor "Redhat"		Ceph Storage Search vendor "Redhat" for product "Ceph Storage"				6.0 Search vendor "Redhat" for product "Ceph Storage" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0"		-		Affected
Redhat Search vendor "Redhat"		Openshift Serverless Search vendor "Redhat" for product "Openshift Serverless"				-		-		Affected
Redhat Search vendor "Redhat"		Openshift Gitops Search vendor "Redhat" for product "Openshift Gitops"				-		-		Affected
Redhat Search vendor "Redhat"		Openshift Pipelines Search vendor "Redhat" for product "Openshift Pipelines"				-		-		Affected
Redhat Search vendor "Redhat"		Openshift Developer Tools And Services Search vendor "Redhat" for product "Openshift Developer Tools And Services"				-		-		Affected
Redhat Search vendor "Redhat"		Openshift Data Foundation Search vendor "Redhat" for product "Openshift Data Foundation"				4.0 Search vendor "Redhat" for product "Openshift Data Foundation" and version "4.0"		-		Affected
Redhat Search vendor "Redhat"		Openshift Api For Data Protection Search vendor "Redhat" for product "Openshift Api For Data Protection"				-		-		Affected
Redhat Search vendor "Redhat"		Openshift Virtualization Search vendor "Redhat" for product "Openshift Virtualization"				4 Search vendor "Redhat" for product "Openshift Virtualization" and version "4"		-		Affected
Redhat Search vendor "Redhat"		Storage Search vendor "Redhat" for product "Storage"				3.0 Search vendor "Redhat" for product "Storage" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Discovery Search vendor "Redhat" for product "Discovery"				-		-		Affected
Redhat Search vendor "Redhat"		Openshift Dev Spaces Search vendor "Redhat" for product "Openshift Dev Spaces"				-		-		Affected
Redhat Search vendor "Redhat"		Cert-manager Operator For Red Hat Openshift Search vendor "Redhat" for product "Cert-manager Operator For Red Hat Openshift"				-		-		Affected
Redhat Search vendor "Redhat"		Keycloak Search vendor "Redhat" for product "Keycloak"				-		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				7.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Single Sign-on Search vendor "Redhat" for product "Single Sign-on"				7.0 Search vendor "Redhat" for product "Single Sign-on" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Advanced Cluster Security Search vendor "Redhat" for product "Advanced Cluster Security"				3.0 Search vendor "Redhat" for product "Advanced Cluster Security" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Advanced Cluster Security Search vendor "Redhat" for product "Advanced Cluster Security"				4.0 Search vendor "Redhat" for product "Advanced Cluster Security" and version "4.0"		-		Affected
Golang Search vendor "Golang"		Crypto Search vendor "Golang" for product "Crypto"				< 0.17.0 Search vendor "Golang" for product "Crypto" and version " < 0.17.0"		-		Affected
Russh Project Search vendor "Russh Project"		Russh Search vendor "Russh Project" for product "Russh"				< 0.40.2 Search vendor "Russh Project" for product "Russh" and version " < 0.40.2"		rust		Affected
Sftpgo Project Search vendor "Sftpgo Project"		Sftpgo Search vendor "Sftpgo Project" for product "Sftpgo"				< 2.5.6 Search vendor "Sftpgo Project" for product "Sftpgo" and version " < 2.5.6"		-		Affected
Erlang Search vendor "Erlang"		Erlang\/otp Search vendor "Erlang" for product "Erlang\/otp"				< 26.2.1 Search vendor "Erlang" for product "Erlang\/otp" and version " < 26.2.1"		-		Affected
Matez Search vendor "Matez"		Jsch Search vendor "Matez" for product "Jsch"				< 0.2.15 Search vendor "Matez" for product "Jsch" and version " < 0.2.15"		-		Affected
Libssh2 Search vendor "Libssh2"		Libssh2 Search vendor "Libssh2" for product "Libssh2"				< 1.11.10 Search vendor "Libssh2" for product "Libssh2" and version " < 1.11.10"		-		Affected
Asyncssh Project Search vendor "Asyncssh Project"		Asyncssh Search vendor "Asyncssh Project" for product "Asyncssh"				< 2.14.2 Search vendor "Asyncssh Project" for product "Asyncssh" and version " < 2.14.2"		-		Affected
Dropbear Ssh Project Search vendor "Dropbear Ssh Project"		Dropbear Ssh Search vendor "Dropbear Ssh Project" for product "Dropbear Ssh"				< 2022.83 Search vendor "Dropbear Ssh Project" for product "Dropbear Ssh" and version " < 2022.83"		-		Affected
Jadaptive Search vendor "Jadaptive"		Maverick Synergy Java Ssh Api Search vendor "Jadaptive" for product "Maverick Synergy Java Ssh Api"				< 3.1.0-snapshot Search vendor "Jadaptive" for product "Maverick Synergy Java Ssh Api" and version " < 3.1.0-snapshot"		-		Affected
Ssh Search vendor "Ssh"		Ssh Search vendor "Ssh" for product "Ssh"				< 5.11 Search vendor "Ssh" for product "Ssh" and version " < 5.11"		-		Affected
Thorntech Search vendor "Thorntech"		Sftp Gateway Firmware Search vendor "Thorntech" for product "Sftp Gateway Firmware"				< 3.4.6 Search vendor "Thorntech" for product "Sftp Gateway Firmware" and version " < 3.4.6"		-		Affected
Netgate Search vendor "Netgate"		Pfsense Plus Search vendor "Netgate" for product "Pfsense Plus"				<= 23.09.1 Search vendor "Netgate" for product "Pfsense Plus" and version " <= 23.09.1"		-		Affected
Netgate Search vendor "Netgate"		Pfsense Ce Search vendor "Netgate" for product "Pfsense Ce"				<= 2.7.2 Search vendor "Netgate" for product "Pfsense Ce" and version " <= 2.7.2"		-		Affected
Crushftp Search vendor "Crushftp"		Crushftp Search vendor "Crushftp" for product "Crushftp"				< 10.6.0 Search vendor "Crushftp" for product "Crushftp" and version " < 10.6.0"		-		Affected
Connectbot Search vendor "Connectbot"		Sshlib Search vendor "Connectbot" for product "Sshlib"				< 2.2.22 Search vendor "Connectbot" for product "Sshlib" and version " < 2.2.22"		-		Affected
Apache Search vendor "Apache"		Sshd Search vendor "Apache" for product "Sshd"				<= 2.11.0 Search vendor "Apache" for product "Sshd" and version " <= 2.11.0"		-		Affected
Apache Search vendor "Apache"		Sshj Search vendor "Apache" for product "Sshj"				<= 0.37.0 Search vendor "Apache" for product "Sshj" and version " <= 0.37.0"		-		Affected
Tinyssh Search vendor "Tinyssh"		Tinyssh Search vendor "Tinyssh" for product "Tinyssh"				<= 20230101 Search vendor "Tinyssh" for product "Tinyssh" and version " <= 20230101"		-		Affected
Trilead Search vendor "Trilead"		Ssh2 Search vendor "Trilead" for product "Ssh2"				6401 Search vendor "Trilead" for product "Ssh2" and version "6401"		-		Affected
9bis Search vendor "9bis"		Kitty Search vendor "9bis" for product "Kitty"				<= 0.76.1.13 Search vendor "9bis" for product "Kitty" and version " <= 0.76.1.13"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				38 Search vendor "Fedoraproject" for product "Fedora" and version "38"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				39 Search vendor "Fedoraproject" for product "Fedora" and version "39"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Apple Search vendor "Apple"		Macos Search vendor "Apple" for product "Macos"				>= 14.0 < 14.4 Search vendor "Apple" for product "Macos" and version " >= 14.0 < 14.4"		-		Affected