VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-t5fq-z2g3-aaad

Essentials
Severities (99)
References (10)
Severity details (10)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-t5fq-z2g3-aaad
Aliases	CVE-2021-36369
Summary	An issue was discovered in Dropbear through 2020.81. Due to a non-RFC-compliant check of the available authentication methods in the client-side SSH code, it is possible for an SSH server to change the login process in its favor. This attack can bypass additional security measures such as FIDO2 tokens or SSH-Askpass. Thus, it allows an attacker to abuse a forwarded agent for logging on to another server unnoticed.
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-287

Improper Authentication

System	Score	Found at
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0009	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00099	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00099	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00099	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00099	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00099	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00099	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00099	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00099	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00099	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00122	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00122	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00122	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00122	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
epss	0.0013	https://api.first.org/data/v1/epss?cve=CVE-2021-36369
cvssv3.1	7.5	https://github.com/mkj/dropbear/pull/128
ssvc	Track	https://github.com/mkj/dropbear/pull/128
cvssv3.1	7.5	https://github.com/mkj/dropbear/releases
ssvc	Track	https://github.com/mkj/dropbear/releases
cvssv3.1	7.5	https://github.com/mkj/dropbear/releases/tag/DROPBEAR_2022.82
ssvc	Track	https://github.com/mkj/dropbear/releases/tag/DROPBEAR_2022.82
cvssv3.1	7.5	https://lists.debian.org/debian-lts-announce/2022/11/msg00015.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2022/11/msg00015.html
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2021-36369
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2021-36369

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2021-36369
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36369
		https://github.com/mkj/dropbear/pull/128
		https://github.com/mkj/dropbear/releases
		https://github.com/mkj/dropbear/releases/tag/DROPBEAR_2022.82
		https://lists.debian.org/debian-lts-announce/2022/11/msg00015.html
cpe:2.3:a:dropbear_ssh_project:dropbear_ssh::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:dropbear_ssh_project:dropbear_ssh::::::::
cpe:2.3:o:debian:debian_linux:10.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:::::::*
CVE-2021-36369		https://nvd.nist.gov/vuln/detail/CVE-2021-36369
USN-7292-1		https://usn.ubuntu.com/7292-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/mkj/dropbear/pull/128

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:45:18Z/ Found at https://github.com/mkj/dropbear/pull/128

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/mkj/dropbear/releases

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:45:18Z/ Found at https://github.com/mkj/dropbear/releases

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/mkj/dropbear/releases/tag/DROPBEAR_2022.82

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:45:18Z/ Found at https://github.com/mkj/dropbear/releases/tag/DROPBEAR_2022.82

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://lists.debian.org/debian-lts-announce/2022/11/msg00015.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-15T18:45:18Z/ Found at https://lists.debian.org/debian-lts-announce/2022/11/msg00015.html

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-36369

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-36369

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.23578
EPSS Score	0.00075
Published At	May 1, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.