CVE-2021-36369

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-36369
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-36369.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-36369
Related
Published
2022-10-12T21:15:09Z
Modified
2024-10-12T07:52:58.734133Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Dropbear through 2020.81. Due to a non-RFC-compliant check of the available authentication methods in the client-side SSH code, it is possible for an SSH server to change the login process in its favor. This attack can bypass additional security measures such as FIDO2 tokens or SSH-Askpass. Thus, it allows an attacker to abuse a forwarded agent for logging on to another server unnoticed.

References

Affected packages

Debian:11 / dropbear

Package

Name
dropbear
Purl
pkg:deb/debian/dropbear?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2020.81-3+deb11u1

Affected versions

2020.*

2020.81-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / dropbear

Package

Name
dropbear
Purl
pkg:deb/debian/dropbear?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2022.82-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / dropbear

Package

Name
dropbear
Purl
pkg:deb/debian/dropbear?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2022.82-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/mkj/dropbear

Affected ranges

Type
GIT
Repo
https://github.com/mkj/dropbear
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

DROPBEAR_0.*

DROPBEAR_0.44
DROPBEAR_0.44test1
DROPBEAR_0.44test2
DROPBEAR_0.44test3
DROPBEAR_0.44test4
DROPBEAR_0.45
DROPBEAR_0.46
DROPBEAR_0.47
DROPBEAR_0.48
DROPBEAR_0.48.1
DROPBEAR_0.49
DROPBEAR_0.50
DROPBEAR_0.51
DROPBEAR_0.52
DROPBEAR_0.53
DROPBEAR_0.53.1

DROPBEAR_2011.*

DROPBEAR_2011.54

DROPBEAR_2012.*

DROPBEAR_2012.55

DROPBEAR_2013.*

DROPBEAR_2013.56
DROPBEAR_2013.57
DROPBEAR_2013.58
DROPBEAR_2013.59
DROPBEAR_2013.60
DROPBEAR_2013.61test
DROPBEAR_2013.62

DROPBEAR_2014.*

DROPBEAR_2014.63
DROPBEAR_2014.64
DROPBEAR_2014.65
DROPBEAR_2014.66

DROPBEAR_2015.*

DROPBEAR_2015.67
DROPBEAR_2015.68
DROPBEAR_2015.69
DROPBEAR_2015.70
DROPBEAR_2015.71

DROPBEAR_2016.*

DROPBEAR_2016.72
DROPBEAR_2016.73
DROPBEAR_2016.74

DROPBEAR_2017.*

DROPBEAR_2017.75

DROPBEAR_2018.*

DROPBEAR_2018.76

DROPBEAR_2019.*

DROPBEAR_2019.77
DROPBEAR_2019.78

DROPBEAR_2020.*

DROPBEAR_2020.79
DROPBEAR_2020.80
DROPBEAR_2020.81

libtomcrypt-1.*

libtomcrypt-1.05
libtomcrypt-1.16

libtommath-0.*

libtommath-0.35
libtommath-0.40