[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2023-38408":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T02:55:30.529Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":19,"aliases":39,"duplicate_of":9,"upstream":40,"downstream":41,"duplicates":86,"related":87,"reserved_at":9,"published_at":99,"modified_at":100,"state":101,"summary":102,"references_raw":109,"kevs":196,"epss":197,"epss_history":200,"metrics":447,"affected":454},"CVE-2023-38408","The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-428","Unquoted Search Path or Element","The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.","weakness","Draft","Base",[],[20,29,34],{"_key":21,"name":22,"source":23,"url":24,"maturity":25,"reliability_score":26,"verified":27,"type":9,"platforms":28,"requires_auth":9,"exploitdb":9,"metasploit":9},"REF_2ECA1EB163C9E048","Exploit Reference (qualys.com)","reference","https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt","unknown",0.2,false,[],{"_key":30,"name":31,"source":23,"url":32,"maturity":25,"reliability_score":26,"verified":27,"type":9,"platforms":33,"requires_auth":9,"exploitdb":9,"metasploit":9},"REF_F55F71BA86251118","Exploit Reference (openwall.com)","http://www.openwall.com/lists/oss-security/2023/07/20/1",[],{"_key":35,"name":36,"source":23,"url":37,"maturity":25,"reliability_score":26,"verified":27,"type":9,"platforms":38,"requires_auth":9,"exploitdb":9,"metasploit":9},"REF_671976C45071C6D7","Exploit Reference (packetstormsecurity.com)","http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html",[],[],[],[42,44,46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84],{"_key":43},"ALPINE-CVE-2023-38408",{"_key":45},"SUSE-SU-2023:2950-1",{"_key":47},"RHSA-2023:4329",{"_key":49},"RHSA-2023:4381",{"_key":51},"RHSA-2023:4382",{"_key":53},"RHSA-2023:4383",{"_key":55},"RHSA-2023:4384",{"_key":57},"RHSA-2023:4412",{"_key":59},"RHSA-2023:4413",{"_key":61},"RHSA-2023:4419",{"_key":63},"RHSA-2023:4428",{"_key":65},"SUSE-SU-2023:2940-1",{"_key":67},"SUSE-SU-2023:2946-1",{"_key":69},"SUSE-SU-2023:2947-1",{"_key":71},"SUSE-SU-2023:2945-1",{"_key":73},"OPENSUSE-SU-2024:13063-1",{"_key":75},"DLA-3532-1",{"_key":77},"MGASA-2024-0010",{"_key":79},"USN-6242-1",{"_key":81},"DEBIAN-CVE-2023-38408",{"_key":83},"UBUNTU-CVE-2023-38408",{"_key":85},"USN-6242-2",[],[88,89,90,91,92,93,94,95,97],{"_key":45},{"_key":65},{"_key":67},{"_key":69},{"_key":71},{"_key":73},{"_key":77},{"_key":96},"CGA-WFW4-M8R2-5Q9C",{"_key":98},"CGA-FRMW-HJ73-JQ63","2023-07-20T00:00:00.000Z","2024-10-15T18:33:21.591Z","Modified",{"cisa_kev":27,"cisa_ransomware":27,"cisa_vendor":9,"epss_severity":103,"epss_score":104,"severity":103,"severity_score":105,"severity_version":106,"severity_source":107,"severity_vector":108,"severity_status":101},"critical",0.64352,9.8,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[110,117,122,126,130,134,138,143,148,152,156,160,164,168,172,176,180,184,188,192],{"url":111,"sources":112,"tags":114},"https://news.ycombinator.com/item?id=36790196",[107,113],"nvd",[115,116],"Issue Tracking","Patch",{"url":118,"sources":119,"tags":120},"https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent",[107,113],[121],"Third Party Advisory",{"url":24,"sources":123,"tags":124},[107,113],[125,121],"Exploit",{"url":127,"sources":128,"tags":129},"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",[107,113],[116],{"url":131,"sources":132,"tags":133},"https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8",[107,113],[116],{"url":135,"sources":136,"tags":137},"https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d",[107,113],[116],{"url":139,"sources":140,"tags":141},"https://www.openssh.com/txt/release-9.3p2",[107,113],[142],"Release Notes",{"url":144,"sources":145,"tags":146},"https://www.openssh.com/security.html",[107,113],[147],"Vendor Advisory",{"url":149,"sources":150,"tags":151},"https://security.gentoo.org/glsa/202307-01",[107,113],[147,121],{"url":32,"sources":153,"tags":154},[107,113],[155,125,121],"Mailing List",{"url":157,"sources":158,"tags":159},"http://www.openwall.com/lists/oss-security/2023/07/20/2",[107,113],[155,121],{"url":37,"sources":161,"tags":162},[107,113],[125,121,163],"VDB Entry",{"url":165,"sources":166,"tags":167},"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/",[107,113],[147],{"url":169,"sources":170,"tags":171},"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/",[107,113],[147],{"url":173,"sources":174,"tags":175},"https://security.netapp.com/advisory/ntap-20230803-0010/",[107,113],[],{"url":177,"sources":178,"tags":179},"https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html",[107,113],[155],{"url":181,"sources":182,"tags":183},"http://www.openwall.com/lists/oss-security/2023/09/22/9",[107,113],[155],{"url":185,"sources":186,"tags":187},"http://www.openwall.com/lists/oss-security/2023/09/22/11",[107,113],[155],{"url":189,"sources":190,"tags":191},"https://support.apple.com/kb/HT213940",[107,113],[],{"url":193,"sources":194,"tags":195},"https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408",[107,113],[],[],{"date":198,"score":104,"percentile":199},"2026-06-04",0.98463,[201,205,208,210,212,214,216,219,222,224,227,229,231,233,235,239,242,245,249,252,255,259,262,264,266,268,272,275,279,282,285,289,291,294,296,299,301,304,307,310,312,314,316,319,322,324,327,330,332,335,338,340,344,346,349,352,356,358,360,364,368,370,374,376,379,382,384,387,390,392,394,396,398,400,402,405,408,411,414,416,419,422,425,427,429,431,434,437,441,444],{"date":202,"score":203,"percentile":204},"2025-11-04",0.64287,0.9835,{"date":206,"score":203,"percentile":207},"2025-11-05",0.98349,{"date":209,"score":203,"percentile":204},"2025-11-06",{"date":211,"score":203,"percentile":207},"2025-11-07",{"date":213,"score":203,"percentile":207},"2025-11-08",{"date":215,"score":203,"percentile":207},"2025-11-09",{"date":217,"score":203,"percentile":218},"2025-11-10",0.98348,{"date":220,"score":203,"percentile":221},"2025-11-11",0.98347,{"date":223,"score":203,"percentile":204},"2025-11-12",{"date":225,"score":203,"percentile":226},"2025-11-13",0.98352,{"date":228,"score":203,"percentile":226},"2025-11-14",{"date":230,"score":203,"percentile":207},"2025-11-15",{"date":232,"score":203,"percentile":204},"2025-11-16",{"date":234,"score":203,"percentile":204},"2025-11-17",{"date":236,"score":237,"percentile":238},"2025-11-18",0.48933,0.97633,{"date":240,"score":237,"percentile":241},"2025-11-19",0.97634,{"date":243,"score":237,"percentile":244},"2025-11-20",0.9764,{"date":246,"score":247,"percentile":248},"2025-11-21",0.64775,0.98368,{"date":250,"score":247,"percentile":251},"2025-11-22",0.98366,{"date":253,"score":247,"percentile":254},"2025-11-23",0.98365,{"date":256,"score":257,"percentile":258},"2025-11-24",0.64646,0.9836,{"date":260,"score":257,"percentile":261},"2025-11-25",0.98362,{"date":263,"score":257,"percentile":261},"2025-11-26",{"date":265,"score":257,"percentile":261},"2025-11-27",{"date":267,"score":257,"percentile":261},"2025-11-28",{"date":269,"score":270,"percentile":271},"2025-11-29",0.64157,0.98339,{"date":273,"score":270,"percentile":274},"2025-11-30",0.98338,{"date":276,"score":277,"percentile":278},"2025-12-01",0.65791,0.98437,{"date":280,"score":277,"percentile":281},"2025-12-02",0.98438,{"date":283,"score":277,"percentile":284},"2025-12-03",0.98439,{"date":286,"score":287,"percentile":288},"2025-12-04",0.67055,0.98473,{"date":290,"score":287,"percentile":288},"2025-12-05",{"date":292,"score":287,"percentile":293},"2025-12-06",0.98474,{"date":295,"score":287,"percentile":293},"2025-12-07",{"date":297,"score":287,"percentile":298},"2025-12-08",0.98475,{"date":300,"score":287,"percentile":298},"2025-12-09",{"date":302,"score":287,"percentile":303},"2025-12-10",0.98478,{"date":305,"score":287,"percentile":306},"2025-12-11",0.98479,{"date":308,"score":287,"percentile":309},"2025-12-12",0.9848,{"date":311,"score":287,"percentile":309},"2025-12-13",{"date":313,"score":287,"percentile":309},"2025-12-14",{"date":315,"score":287,"percentile":309},"2025-12-15",{"date":317,"score":287,"percentile":318},"2025-12-16",0.98481,{"date":320,"score":287,"percentile":321},"2025-12-17",0.98483,{"date":323,"score":270,"percentile":226},"2025-12-18",{"date":325,"score":270,"percentile":326},"2025-12-19",0.98353,{"date":328,"score":257,"percentile":329},"2025-12-20",0.98377,{"date":331,"score":257,"percentile":329},"2025-12-21",{"date":333,"score":257,"percentile":334},"2025-12-22",0.98378,{"date":336,"score":257,"percentile":337},"2025-12-23",0.98376,{"date":339,"score":257,"percentile":337},"2025-12-24",{"date":341,"score":342,"percentile":343},"2025-12-25",0.67513,0.98504,{"date":345,"score":342,"percentile":343},"2025-12-26",{"date":347,"score":342,"percentile":348},"2025-12-27",0.98522,{"date":350,"score":342,"percentile":351},"2025-12-28",0.98506,{"date":353,"score":354,"percentile":355},"2025-12-29",0.69186,0.98578,{"date":357,"score":354,"percentile":355},"2025-12-30",{"date":359,"score":354,"percentile":355},"2025-12-31",{"date":361,"score":362,"percentile":363},"2026-01-01",0.70624,0.9865,{"date":365,"score":366,"percentile":367},"2026-01-02",0.70206,0.98633,{"date":369,"score":366,"percentile":367},"2026-01-03",{"date":371,"score":372,"percentile":373},"2026-01-04",0.68749,0.98559,{"date":375,"score":372,"percentile":373},"2026-01-05",{"date":377,"score":372,"percentile":378},"2026-01-06",0.9856,{"date":380,"score":372,"percentile":381},"2026-01-07",0.98562,{"date":383,"score":372,"percentile":381},"2026-01-08",{"date":385,"score":372,"percentile":386},"2026-01-09",0.98563,{"date":388,"score":372,"percentile":389},"2026-01-10",0.98564,{"date":391,"score":372,"percentile":386},"2026-01-11",{"date":393,"score":372,"percentile":381},"2026-01-12",{"date":395,"score":372,"percentile":381},"2026-01-13",{"date":397,"score":372,"percentile":386},"2026-01-14",{"date":399,"score":372,"percentile":389},"2026-01-15",{"date":401,"score":372,"percentile":389},"2026-01-16",{"date":403,"score":372,"percentile":404},"2026-01-17",0.98566,{"date":406,"score":354,"percentile":407},"2026-01-18",0.98588,{"date":409,"score":354,"percentile":410},"2026-01-19",0.9859,{"date":412,"score":354,"percentile":413},"2026-01-20",0.98589,{"date":415,"score":354,"percentile":410},"2026-01-21",{"date":417,"score":354,"percentile":418},"2026-01-22",0.98592,{"date":420,"score":354,"percentile":421},"2026-01-23",0.98593,{"date":423,"score":354,"percentile":424},"2026-01-24",0.98594,{"date":426,"score":354,"percentile":421},"2026-01-25",{"date":428,"score":354,"percentile":424},"2026-01-26",{"date":430,"score":354,"percentile":424},"2026-01-27",{"date":432,"score":354,"percentile":433},"2026-01-28",0.98595,{"date":435,"score":354,"percentile":436},"2026-01-29",0.98596,{"date":438,"score":439,"percentile":440},"2026-01-30",0.67312,0.98518,{"date":442,"score":439,"percentile":443},"2026-01-31",0.98517,{"date":445,"score":446,"percentile":413},"2026-02-01",0.68828,[448,452],{"source":107,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":449,"cvss_v4_0":9},{"baseScore":105,"baseSeverity":450,"vectorString":108,"impactScore":105,"exploitabilityScore":451},"CRITICAL",10,{"source":113,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":453,"cvss_v4_0":9},{"baseScore":105,"baseSeverity":450,"vectorString":108,"impactScore":105,"exploitabilityScore":451},[455,465],{"ecosystem":9,"name":456,"vendor":457,"product":456,"cpe_part":458,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":459},"fedora","fedoraproject","o",[460,463],{"version":461,"is_range":27,"range_type":462,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"37","cpe",{"version":464,"is_range":27,"range_type":462,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"38",{"ecosystem":9,"name":466,"vendor":467,"product":466,"cpe_part":468,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":469},"openssh","openbsd","a",[470,475,476],{"version":471,"is_range":472,"range_type":462,"version_start":9,"version_start_type":9,"version_end":473,"version_end_type":474,"fixed_in":9},"lt9.3",true,"9.3","excluding",{"version":473,"is_range":27,"range_type":462,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":477,"is_range":27,"range_type":462,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"9.3:p1"]