Fluid Attacks Database

Description

Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	openssh	>=0 <1:7.2p2-1	1:7.2p2-1
debian 12	openssh	>=0 <1:7.2p2-1	1:7.2p2-1
debian 13	openssh	>=0 <1:7.2p2-1	1:7.2p2-1
debian 14	openssh	>=0 <1:7.2p2-1	1:7.2p2-1
rpm rhel7	openssh	<0:6.6.1p1-25.el7_2	0:6.6.1p1-25.el7_2
rpm rhel5	openssh	-	-
rpm rhel6	openssh	<0:5.3p1-114.el6_7	0:5.3p1-114.el6_7

Aliases

1. CVE-2016-31152. NVD-2016-31153. OSV-DEBIAN-2016-31154. OSV-2016-31155. SECURITY-TRACKER-CVE-2016-3115

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.