CVE-2021-41617
Public on 2021-09-26
Modified on 2024-02-10
Description
A flaw was found in OpenSSH. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privileges, potentially leading to local privilege escalation.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | openssh | 2022-02-10 | ALAS-2022-1565 | Fixed |
| Amazon Linux 2 - Core | openssh | 2022-02-03 | ALAS2-2022-1748 | Fixed |
| Amazon Linux 2023 | openssh | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv2 | 4.4 | AV:L/AC:M/Au:N/C:P/I:P/A:P |
| NVD | CVSSv3 | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |