Main Vulnerability Database Vulnerabilities #VU93514

#VU93514 Information disclosure in OpenSSH - CVE-2024-39894

Published: July 1, 2024 / Updated: January 8, 2025

Vulnerability identifier: #VU93514

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-39894

CWE-ID: CWE-200

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
OpenSSH

Software vendor:
OpenSSH

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due a logic error in ObscureKeystrokeTiming implementation within the ssh client. A local user with ability to passively observe SSH sessions can recover sensitive input, such as password for the su or sudo programs.

Remediation

Install updates from vendor's website.

External links

https://www.openssh.com/releasenotes.html#9.8p1

#VU93514 Information disclosure in OpenSSH - CVE-2024-39894

Description

Remediation

External links

Please verify you're human