{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-12-02T00:00:00", "descriptions": [{"lang": "en", "value": "The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-07T15:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "71420", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/71420"}, {"name": "[oss-security] 20141204 Re: CVE request: OpenSSH ~/.k5users patch (Fedora  and downstreams)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/12/04/17"}, {"name": "RHSA-2015:0425", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0425.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169843"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mindrot.org/show_bug.cgi?id=1867"}, {"tags": ["x_refsource_MISC"], "url": "http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855"}, {"name": "openssh-gssservkrb5-sec-bypass(99090)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99090"}, {"name": "[oss-security] 20141202 CVE request: OpenSSH ~/.k5users patch (Fedora  and downstreams)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/12/02/3"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:40:25.092Z"}, "title": "CVE Program Container", "references": [{"name": "71420", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/71420"}, {"name": "[oss-security] 20141204 Re: CVE request: OpenSSH ~/.k5users patch (Fedora  and downstreams)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/12/04/17"}, {"name": "RHSA-2015:0425", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0425.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169843"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.mindrot.org/show_bug.cgi?id=1867"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855"}, {"name": "openssh-gssservkrb5-sec-bypass(99090)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99090"}, {"name": "[oss-security] 20141202 CVE request: OpenSSH ~/.k5users patch (Fedora  and downstreams)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/12/02/3"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-9278", "datePublished": "2014-12-06T15:00:00", "dateReserved": "2014-12-04T00:00:00", "dateUpdated": "2024-08-06T13:40:25.092Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:-:*:*:*:*:*:*:*", "matchCriteriaId": "7BB9B2AD-A04E-4C93-9FAF-5DC02F69690B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:fedora:7:*:*:*:*:*:*:*", "matchCriteriaId": "EE2027FA-357A-4BE3-9043-6DE8307C040A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login."}, {"lang": "es", "value": "El servidor OpenSSH, utilizado en Fedora y Red Hat Enterprise Linux 7 y cuando funciona en un entorno Kerberos, permite a usuarios remotos autenticados iniciar sesi\u00f3n como otro usuario cuando est\u00e1n listados en el fichero .k5users de ese usuario, lo que podr\u00eda evadir los requisitos de autenticaci\u00f3n que forzar\u00eda un inicio de sesi\u00f3n local."}], "id": "CVE-2014-9278", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-12-06T15:59:07.920", "references": [{"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-0425.html"}, {"source": "secalert@redhat.com", "url": "http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2014/12/02/3"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2014/12/04/17"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/71420"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.mindrot.org/show_bug.cgi?id=1867"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169843"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99090"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2015-0425.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2014/12/02/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2014/12/04/17"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/71420"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.mindrot.org/show_bug.cgi?id=1867"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169843"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99090"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2015:0425", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "openssh-0:6.6.1p1-11.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-03-05T00:00:00Z"}], "bugzilla": {"description": "openssh: ~/.k5users unexpectedly grants remote login", "id": "1169843", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169843"}, "csaw": false, "cvss": {"cvss_base_score": "4.9", "cvss_scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "status": "verified"}, "details": ["The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.", "It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions."], "name": "CVE-2014-9278", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2014-10-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-9278\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-9278"], "threat_severity": "Low"}