Double Free Affecting openssh package, versions <8.5_p1-r0


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
3.42% (88th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ALPINE317-OPENSSH-3140989
  • published25 Mar 2021
  • disclosed5 Mar 2021

Introduced: 5 Mar 2021

CVE-2021-28041  (opens in a new tab)
CWE-415  (opens in a new tab)

How to fix?

Upgrade Alpine:3.17 openssh to version 8.5_p1-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Alpine. See How to fix? for Alpine:3.17 relevant fixed versions and status.

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

CVSS Base Scores

version 3.1