{"api_version":"1","generated_at":"2026-04-22T19:18:40+00:00","cve":"CVE-2023-38408","urls":{"html":"https://cve.report/CVE-2023-38408","api":"https://cve.report/api/cve/CVE-2023-38408.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-38408","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-38408"},"summary":{"title":"CVE-2023-38408","description":"The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2023-07-20 03:15:00","updated_at":"2023-11-07 04:17:00"},"problem_types":["CWE-428"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/","name":"FEDORA-2023-878e04f4ae","refsource":"","tags":[],"title":"[SECURITY] Fedora 38 Update: openssh-9.0p1-16.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2023/07/20/2","name":"[oss-security] 20230720 Re: Announce: OpenSSH 9.3p2 released","refsource":"MLIST","tags":[],"title":"oss-security - Re: Announce: OpenSSH 9.3p2 released","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent","name":"https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent","refsource":"MISC","tags":[],"title":"CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent | Qualys Security Blog","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2023/09/22/11","name":"[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list","refsource":"MLIST","tags":[],"title":"oss-security - Re: illumos (or at least danmcd) membership in the distros list","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html","name":"[debian-lts-announce] 20230817 [SECURITY] [DLA 3532-1] openssh security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3532-1] openssh security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt","name":"https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt","refsource":"MISC","tags":[],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20230803-0010/","name":"https://security.netapp.com/advisory/ntap-20230803-0010/","refsource":"CONFIRM","tags":[],"title":"CVE-2023-38408 OpenSSH Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/","name":"FEDORA-2023-79a18e1725","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: openssh-8.8p1-11.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/","name":"FEDORA-2023-79a18e1725","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: openssh-8.8p1-11.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2023/07/20/1","name":"[oss-security] 20230719 Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent","refsource":"MLIST","tags":[],"title":"oss-security - Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded\n ssh-agent","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html","refsource":"MISC","tags":[],"title":"OpenSSH Forwarded SSH-Agent Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8","name":"https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8","refsource":"MISC","tags":[],"title":"Disallow remote addition of FIDO/PKCS11 provider libraries to · openbsd/src@7bc29a9 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d","name":"https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d","refsource":"MISC","tags":[],"title":"terminate process if requested to load a PKCS#11 provider that · openbsd/src@f03a4fa · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2023/09/22/9","name":"[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list","refsource":"MLIST","tags":[],"title":"oss-security - Re: illumos (or at least danmcd) membership in the distros list","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.openssh.com/security.html","name":"https://www.openssh.com/security.html","refsource":"CONFIRM","tags":[],"title":"OpenSSH: Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/","name":"FEDORA-2023-878e04f4ae","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 38 Update: openssh-9.0p1-16.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca","name":"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca","refsource":"MISC","tags":[],"title":"Ensure FIDO/PKCS11 libraries contain expected symbols · openbsd/src@f8f5a6b · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://news.ycombinator.com/item?id=36790196","name":"https://news.ycombinator.com/item?id=36790196","refsource":"MISC","tags":[],"title":"Remote code execution in OpenSSH’s forwarded SSH-agent | Hacker News","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202307-01","name":"GLSA-202307-01","refsource":"GENTOO","tags":[],"title":"OpenSSH: Remote Code Execution (GLSA 202307-01) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.openssh.com/txt/release-9.3p2","name":"https://www.openssh.com/txt/release-9.3p2","refsource":"CONFIRM","tags":[],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-38408","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38408","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"38408","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38408","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38408","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openbsd","cpe5":"openssh","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38408","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openbsd","cpe5":"openssh","cpe6":"9.3","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38408","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openbsd","cpe5":"openssh","cpe6":"9.3","cpe7":"p1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-38408","qid":"160826","title":"Oracle Enterprise Linux Security Update for openssh (ELSA-2023-4412)"},{"cve":"CVE-2023-38408","qid":"160828","title":"Oracle Enterprise Linux Security Update for openssh (ELSA-2023-4419)"},{"cve":"CVE-2023-38408","qid":"160836","title":"Oracle Enterprise Linux Security Update for openssh (ELSA-2023-4382)"},{"cve":"CVE-2023-38408","qid":"160862","title":"Oracle Enterprise Linux Security Update for openssh (ELSA-2023-12711)"},{"cve":"CVE-2023-38408","qid":"160867","title":"Oracle Enterprise Linux Security Update for openssh (ELSA-2023-4428)"},{"cve":"CVE-2023-38408","qid":"199596","title":"Ubuntu Security Notification for OpenSSH Vulnerability (USN-6242-1)"},{"cve":"CVE-2023-38408","qid":"199628","title":"Ubuntu Security Notification for OpenSSH Vulnerability (USN-6242-2)"},{"cve":"CVE-2023-38408","qid":"241870","title":"Red Hat Update for openssh (RHSA-2023:4329)"},{"cve":"CVE-2023-38408","qid":"241877","title":"Red Hat Update for openssh (RHSA-2023:4382)"},{"cve":"CVE-2023-38408","qid":"241879","title":"Red Hat Update for openssh (RHSA-2023:4381)"},{"cve":"CVE-2023-38408","qid":"241882","title":"Red Hat Update for openssh (RHSA-2023:4383)"},{"cve":"CVE-2023-38408","qid":"241885","title":"Red Hat Update for openssh (RHSA-2023:4384)"},{"cve":"CVE-2023-38408","qid":"241896","title":"Red Hat Update for openssh (RHSA-2023:4419)"},{"cve":"CVE-2023-38408","qid":"241897","title":"Red Hat Update for openssh (RHSA-2023:4413)"},{"cve":"CVE-2023-38408","qid":"241899","title":"Red Hat Update for openssh (RHSA-2023:4412)"},{"cve":"CVE-2023-38408","qid":"257251","title":"CentOS Security Update for openssh"},{"cve":"CVE-2023-38408","qid":"257283","title":"CentOS Security Update for openssh (CESA-2023:4382)"},{"cve":"CVE-2023-38408","qid":"284332","title":"Fedora Security Update for openssh (FEDORA-2023-878e04f4ae)"},{"cve":"CVE-2023-38408","qid":"284355","title":"Fedora Security Update for openssh (FEDORA-2023-79a18e1725)"},{"cve":"CVE-2023-38408","qid":"296108","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 66.164.1 Missing (CPUJAN2024)"},{"cve":"CVE-2023-38408","qid":"355783","title":"Amazon Linux Security Advisory for openssh : ALAS2-2023-2176"},{"cve":"CVE-2023-38408","qid":"355801","title":"Amazon Linux Security Advisory for openssh : ALAS2023-2023-273"},{"cve":"CVE-2023-38408","qid":"355819","title":"Amazon Linux Security Advisory for openssh : ALAS-2023-1802"},{"cve":"CVE-2023-38408","qid":"378752","title":"Alibaba Cloud Linux Security Update for openssh (ALINUX3-SA-2023:0090)"},{"cve":"CVE-2023-38408","qid":"378760","title":"Alibaba Cloud Linux Security Update for openssh (ALINUX2-SA-2023:0033)"},{"cve":"CVE-2023-38408","qid":"38904","title":"OpenSSH Remote Code Execution (RCE) Vulnerability in its forwarded ssh-agent"},{"cve":"CVE-2023-38408","qid":"390278","title":"Oracle Managed Virtualization (VM) Server for x86 Security Update for openssh (OVMSA-2023-0019)"},{"cve":"CVE-2023-38408","qid":"503049","title":"Alpine Linux Security Update for openssh"},{"cve":"CVE-2023-38408","qid":"503052","title":"Alpine Linux Security Update for openssh"},{"cve":"CVE-2023-38408","qid":"6000161","title":"Debian Security Update for openssh (DLA 3532-1)"},{"cve":"CVE-2023-38408","qid":"673431","title":"EulerOS Security Update for openssh (EulerOS-SA-2023-2792)"},{"cve":"CVE-2023-38408","qid":"673531","title":"EulerOS Security Update for openssh (EulerOS-SA-2023-2816)"},{"cve":"CVE-2023-38408","qid":"673546","title":"EulerOS Security Update for openssh (EulerOS-SA-2023-2882)"},{"cve":"CVE-2023-38408","qid":"673578","title":"EulerOS Security Update for openssh (EulerOS-SA-2023-2846)"},{"cve":"CVE-2023-38408","qid":"673903","title":"EulerOS Security Update for openssh (EulerOS-SA-2023-2863)"},{"cve":"CVE-2023-38408","qid":"674038","title":"EulerOS Security Update for openssh (EulerOS-SA-2023-3140)"},{"cve":"CVE-2023-38408","qid":"674099","title":"EulerOS Security Update for openssh (EulerOS-SA-2023-2901)"},{"cve":"CVE-2023-38408","qid":"691219","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for openssh (887eb570-27d3-11ee-adba-c80aa9043978)"},{"cve":"CVE-2023-38408","qid":"710742","title":"Gentoo Linux OpenSSH Remote Code Execution (RCE) Vulnerability (GLSA 202307-01)"},{"cve":"CVE-2023-38408","qid":"754200","title":"SUSE Enterprise Linux Security Update for openssh (SUSE-SU-2023:2950-1)"},{"cve":"CVE-2023-38408","qid":"754201","title":"SUSE Enterprise Linux Security Update for openssh (SUSE-SU-2023:2947-1)"},{"cve":"CVE-2023-38408","qid":"754202","title":"SUSE Enterprise Linux Security Update for openssh (SUSE-SU-2023:2946-1)"},{"cve":"CVE-2023-38408","qid":"754203","title":"SUSE Enterprise Linux Security Update for openssh (SUSE-SU-2023:2945-1)"},{"cve":"CVE-2023-38408","qid":"907113","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for openssh (27625-1)"},{"cve":"CVE-2023-38408","qid":"907218","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for openssh (27651-1)"},{"cve":"CVE-2023-38408","qid":"941195","title":"AlmaLinux Security Update for openssh (ALSA-2023:4419)"},{"cve":"CVE-2023-38408","qid":"941196","title":"AlmaLinux Security Update for openssh (ALSA-2023:4412)"},{"cve":"CVE-2023-38408","qid":"960973","title":"Rocky Linux Security Update for openssh (RLSA-2023:4419)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2023-38408","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://news.ycombinator.com/item?id=36790196","url":"https://news.ycombinator.com/item?id=36790196"},{"refsource":"MISC","name":"https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent","url":"https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent"},{"refsource":"MISC","name":"https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt","url":"https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt"},{"refsource":"MISC","name":"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca","url":"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca"},{"refsource":"MISC","name":"https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8","url":"https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8"},{"refsource":"MISC","name":"https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d","url":"https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d"},{"refsource":"CONFIRM","name":"https://www.openssh.com/txt/release-9.3p2","url":"https://www.openssh.com/txt/release-9.3p2"},{"refsource":"CONFIRM","name":"https://www.openssh.com/security.html","url":"https://www.openssh.com/security.html"},{"refsource":"GENTOO","name":"GLSA-202307-01","url":"https://security.gentoo.org/glsa/202307-01"},{"refsource":"MLIST","name":"[oss-security] 20230719 Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent","url":"http://www.openwall.com/lists/oss-security/2023/07/20/1"},{"refsource":"MLIST","name":"[oss-security] 20230720 Re: Announce: OpenSSH 9.3p2 released","url":"http://www.openwall.com/lists/oss-security/2023/07/20/2"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html","url":"http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html"},{"refsource":"FEDORA","name":"FEDORA-2023-878e04f4ae","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/"},{"refsource":"FEDORA","name":"FEDORA-2023-79a18e1725","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230803-0010/","url":"https://security.netapp.com/advisory/ntap-20230803-0010/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230817 [SECURITY] [DLA 3532-1] openssh security update","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html"},{"refsource":"MLIST","name":"[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list","url":"http://www.openwall.com/lists/oss-security/2023/09/22/9"},{"refsource":"MLIST","name":"[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list","url":"http://www.openwall.com/lists/oss-security/2023/09/22/11"}]}},"nvd":{"publishedDate":"2023-07-20 03:15:00","lastModifiedDate":"2023-11-07 04:17:00","problem_types":["CWE-428"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*","versionEndExcluding":"9.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openbsd:openssh:9.3:p1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openbsd:openssh:9.3:-:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}