CVE-2023-48795

Exp

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Published: 2023-12-18 Last update: 2026-05-12 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2023-48795 is rated High Exploit Risk (74.5/100): CVSS Medium severity, with high exploitation likelihood (EPSS 54.21%, 98th percentile). 3 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +1.61% over the last day, indicating growing attacker interest. Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2023-48795

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2023-48795

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-29 52.61% 54.21% +1.61%
2 2026-05-27 53.83% 52.61% -1.22%
3 2026-05-25 53.83%

Full EPSS history (177 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2023-48795

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.9 3.1 MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.
 2.2 3.6 [email protected]
5.9 3.1 MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.
 2.2 3.6 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2023-48795

GitHub Security Advisory for CVE-2023-48795

GHSA-45x7-px36-x8w8 · Severity: medium · Ecosystem: rust — Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin

OS Trackers for CVE-2023-48795

vendor priority summary link
alpine CVE-2023-48795: 21 source package rows (buildah, doctl, …); 110 state rows across 12 repos (3.17-main, 3.18-main, 3.19-community, 3.19-main, 3.20-community, 3.20-main, 3.21-community, 3.21-main, 3.22-community, 3.22-main, edge-community, edge-main); fixed 110, open 0. https://security.alpinelinux.org/vuln/CVE-2023-48795
debian unimportant CVE-2023-48795 unimportant priority: Debian including 18 source packages (dropbear, erlang, …), 88 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 76, open 12. https://security-tracker.debian.org/tracker/CVE-2023-48795
gentoo normal CVE-2023-48795: 5 GLSA(s) (202312-16, 202312-17, …), 5 atom(s) (app-containers/podman, net-ftp/proftpd, net-libs/libssh, net-misc/openssh, net-misc/putty); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2023-48795
redhat medium https://access.redhat.com/security/cve/CVE-2023-48795
suse high CVE-2023-48795 severity important: SUSE including 740 source package names (1.2.3-2.2.63:libssh-config-0.9.8-150400.3.3.1, 1.2.3-2.2.63:libssh4-0.9.8-150400.3.3.1, …), 2645 product×package rows across 350 product lines (Container bci/golang, Container bci/nodejs, … (350 product lines)): Fixed 2282, Known Affected 195, Known Not Affected 164, Will Not Fix 4. https://www.suse.com/security/cve/CVE-2023-48795/
ubuntu medium CVE-2023-48795 medium priority: Ubuntu including 13 source packages (dropbear, filezilla, …), 156 status rows across 12 suites (bionic, focal, jammy, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): released 48, ignored 37, not-affected 32, needs-triage 27, DNE 12. https://ubuntu.com/security/CVE-2023-48795

Affected software / configurations for CVE-2023-48795

Vendor Product Version Raw CPE
openbsd openssh < 9.6 cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
putty putty < 0.80 cpe:2.3:a:putty:putty:*:*:*:*:*:*:*:*
filezilla-project filezilla_client < 3.66.4 cpe:2.3:a:filezilla-project:filezilla_client:*:*:*:*:*:*:*:*
panic transmit_5 < 5.10.4 cpe:2.3:a:panic:transmit_5:*:*:*:*:*:*:*:*
panic nova < 11.8 cpe:2.3:a:panic:nova:*:*:*:*:*:*:*:*
roumenpetrov pkixssh < 14.4 cpe:2.3:a:roumenpetrov:pkixssh:*:*:*:*:*:*:*:*
winscp winscp < 6.2.2 cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:*
bitvise ssh_client < 9.33 cpe:2.3:a:bitvise:ssh_client:*:*:*:*:*:*:*:*
bitvise ssh_server < 9.32 cpe:2.3:a:bitvise:ssh_server:*:*:*:*:*:*:*:*
lancom-systems lcos <= 3.66.4 cpe:2.3:o:lancom-systems:lcos:*:*:*:*:*:*:*:*
lancom-systems lcos_fx cpe:2.3:o:lancom-systems:lcos_fx:-:*:*:*:*:*:*:*
lancom-systems lcos_lx cpe:2.3:o:lancom-systems:lcos_lx:-:*:*:*:*:*:*:*
lancom-systems lcos_sx 4.20 cpe:2.3:o:lancom-systems:lcos_sx:4.20:*:*:*:*:*:*:*
lancom-systems lcos_sx 5.20 cpe:2.3:o:lancom-systems:lcos_sx:5.20:*:*:*:*:*:*:*
lancom-systems lanconfig cpe:2.3:o:lancom-systems:lanconfig:-:*:*:*:*:*:*:*
vandyke securecrt < 9.4.3 cpe:2.3:a:vandyke:securecrt:*:*:*:*:*:*:*:*
libssh libssh < 0.10.6 cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*
net-ssh net-ssh 7.2.0 cpe:2.3:a:net-ssh:net-ssh:7.2.0:*:*:*:*:ruby:*:*
ssh2_project ssh2 <= 1.11.0 cpe:2.3:a:ssh2_project:ssh2:*:*:*:*:*:node.js:*:*
proftpd proftpd <= 1.3.8b cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*
freebsd freebsd <= 12.4 cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*
crates thrussh < 0.35.1 cpe:2.3:a:crates:thrussh:*:*:*:*:*:*:*:*
tera_term_project tera_term <= 5.1 cpe:2.3:a:tera_term_project:tera_term:*:*:*:*:*:*:*:*
oryx-embedded cyclone_ssh < 2.3.4 cpe:2.3:a:oryx-embedded:cyclone_ssh:*:*:*:*:*:*:*:*
crushftp crushftp <= 10.6.0 cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
netsarang xshell_7 < build__0144 cpe:2.3:a:netsarang:xshell_7:*:*:*:*:*:*:*:*
paramiko paramiko < 3.4.0 cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:*
redhat openshift_container_platform 4.0 cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
redhat openstack_platform 16.1 cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*
redhat openstack_platform 16.2 cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*
redhat openstack_platform 17.1 cpe:2.3:a:redhat:openstack_platform:17.1:*:*:*:*:*:*:*
redhat ceph_storage 6.0 cpe:2.3:a:redhat:ceph_storage:6.0:*:*:*:*:*:*:*
redhat enterprise_linux 8.0 cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
redhat enterprise_linux 9.0 cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
redhat openshift_serverless cpe:2.3:a:redhat:openshift_serverless:-:*:*:*:*:*:*:*
redhat openshift_gitops cpe:2.3:a:redhat:openshift_gitops:-:*:*:*:*:*:*:*
redhat openshift_pipelines cpe:2.3:a:redhat:openshift_pipelines:-:*:*:*:*:*:*:*
redhat openshift_developer_tools_and_services cpe:2.3:a:redhat:openshift_developer_tools_and_services:-:*:*:*:*:*:*:*
redhat openshift_data_foundation 4.0 cpe:2.3:a:redhat:openshift_data_foundation:4.0:*:*:*:*:*:*:*
redhat openshift_api_for_data_protection cpe:2.3:a:redhat:openshift_api_for_data_protection:-:*:*:*:*:*:*:*
redhat openshift_virtualization 4 cpe:2.3:a:redhat:openshift_virtualization:4:*:*:*:*:*:*:*
redhat storage 3.0 cpe:2.3:a:redhat:storage:3.0:*:*:*:*:*:*:*
redhat discovery cpe:2.3:a:redhat:discovery:-:*:*:*:*:*:*:*
redhat openshift_dev_spaces cpe:2.3:a:redhat:openshift_dev_spaces:-:*:*:*:*:*:*:*
redhat cert-manager_operator_for_red_hat_openshift cpe:2.3:a:redhat:cert-manager_operator_for_red_hat_openshift:-:*:*:*:*:*:*:*
redhat keycloak cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*
redhat jboss_enterprise_application_platform 7.0 cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*
redhat single_sign-on 7.0 cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
redhat advanced_cluster_security 3.0 cpe:2.3:a:redhat:advanced_cluster_security:3.0:*:*:*:*:*:*:*
redhat advanced_cluster_security 4.0 cpe:2.3:a:redhat:advanced_cluster_security:4.0:*:*:*:*:*:*:*
golang crypto < 0.17.0 cpe:2.3:a:golang:crypto:*:*:*:*:*:*:*:*
russh_project russh < 0.40.2 cpe:2.3:a:russh_project:russh:*:*:*:*:*:rust:*:*
sftpgo_project sftpgo < 2.5.6 cpe:2.3:a:sftpgo_project:sftpgo:*:*:*:*:*:*:*:*
erlang erlang\/otp < 22.3.4.27 cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
erlang erlang\/otp >= 23.0, < 23.3.4.20 cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
erlang erlang\/otp >= 24.0, < 24.3.4.15 cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
erlang erlang\/otp >= 25.0, < 25.3.2.8 cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
erlang erlang\/otp >= 26.0, < 26.2.1 cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
matez jsch < 0.2.15 cpe:2.3:a:matez:jsch:*:*:*:*:*:*:*:*
libssh2 libssh2 < 1.11.1 cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*
asyncssh_project asyncssh < 2.14.2 cpe:2.3:a:asyncssh_project:asyncssh:*:*:*:*:*:*:*:*
dropbear_ssh_project dropbear_ssh < 2022.83 cpe:2.3:a:dropbear_ssh_project:dropbear_ssh:*:*:*:*:*:*:*:*
jadaptive maverick_synergy_java_ssh_api < 3.1.0-snapshot cpe:2.3:a:jadaptive:maverick_synergy_java_ssh_api:*:*:*:*:*:*:*:*
ssh ssh < 4.9.1.5 cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*
ssh ssh >= 4.10, < 4.11.1.7 cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*
ssh ssh >= 4.12, < 4.13.2.4 cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*
ssh ssh >= 4.14, < 4.15.3.1 cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*
ssh ssh >= 5.0, < 5.1.1 cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*
thorntech sftp_gateway_firmware < 3.4.6 cpe:2.3:o:thorntech:sftp_gateway_firmware:*:*:*:*:*:*:*:*
netgate pfsense_plus <= 23.09.1 cpe:2.3:a:netgate:pfsense_plus:*:*:*:*:*:*:*:*
netgate pfsense_ce <= 2.7.2 cpe:2.3:a:netgate:pfsense_ce:*:*:*:*:*:*:*:*
crushftp crushftp < 10.6.0 cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
connectbot sshlib < 2.2.22 cpe:2.3:a:connectbot:sshlib:*:*:*:*:*:*:*:*
apache sshd <= 2.11.0 cpe:2.3:a:apache:sshd:*:*:*:*:*:*:*:*
apache sshj <= 0.37.0 cpe:2.3:a:apache:sshj:*:*:*:*:*:*:*:*
tinyssh tinyssh <= 20230101 cpe:2.3:a:tinyssh:tinyssh:*:*:*:*:*:*:*:*
trilead ssh2 6401 cpe:2.3:a:trilead:ssh2:6401:*:*:*:*:*:*:*
9bis kitty <= 0.76.1.13 cpe:2.3:a:9bis:kitty:*:*:*:*:*:*:*:*
gentoo security cpe:2.3:a:gentoo:security:-:*:*:*:*:*:*:*
fedoraproject fedora 38 cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

References for CVE-2023-48795

URL Tags
http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2024/Mar/21 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/12/18/3 Mailing List
http://www.openwall.com/lists/oss-security/2023/12/19/5 Mailing List
http://www.openwall.com/lists/oss-security/2023/12/20/3 Mailing List Mitigation
http://www.openwall.com/lists/oss-security/2024/03/06/3 Mailing List
http://www.openwall.com/lists/oss-security/2024/04/17/8 Mailing List
https://access.redhat.com/security/cve/cve-2023-48795 Third Party Advisory
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ Press/Media Coverage
https://bugs.gentoo.org/920280 Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2254210 Issue Tracking
https://bugzilla.suse.com/show_bug.cgi?id=1217950 Issue Tracking
https://crates.io/crates/thrussh/versions Release Notes
https://filezilla-project.org/versions.php Release Notes
https://forum.netgate.com/topic/184941/terrapin-ssh-attack Issue Tracking
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6 Patch
https://github.com/NixOS/nixpkgs/pull/275249 Release Notes
https://github.com/PowerShell/Win32-OpenSSH/issues/2189 Issue Tracking
https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta Release Notes
https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0 Patch
https://github.com/TeraTermProject/teraterm/releases/tag/v5.1 Release Notes
https://github.com/advisories/GHSA-45x7-px36-x8w8 Third Party Advisory
https://github.com/apache/mina-sshd/issues/445 Issue Tracking
https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab Patch
https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22 Third Party Advisory
https://github.com/cyd01/KiTTY/issues/520 Issue Tracking
https://github.com/drakkan/sftpgo/releases/tag/v2.5.6 Release Notes
https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42 Patch
https://github.com/erlang/otp/releases/tag/OTP-26.2.1 Release Notes
https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d Patch
https://github.com/hierynomus/sshj/issues/916 Issue Tracking
https://github.com/janmojzis/tinyssh/issues/81 Issue Tracking
https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5 Patch
https://github.com/libssh2/libssh2/pull/1291 Mitigation
https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25 Patch
https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3 Patch
https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15 Product
https://github.com/mwiede/jsch/issues/457 Issue Tracking
https://github.com/mwiede/jsch/pull/461 Release Notes
https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16 Patch
https://github.com/openssh/openssh-portable/commits/master Patch
https://github.com/paramiko/paramiko/issues/2337 Issue Tracking
https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES Release Notes
https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES Release Notes
https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES Release Notes
https://github.com/proftpd/proftpd/issues/456 Issue Tracking
https://github.com/rapier1/hpn-ssh/releases Release Notes
https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst Release Notes
https://github.com/ronf/asyncssh/tags Release Notes
https://github.com/ssh-mitm/ssh-mitm/issues/165 Issue Tracking
https://github.com/warp-tech/russh/releases/tag/v0.40.2 Release Notes
https://gitlab.com/libssh/libssh-mirror/-/tags Release Notes
https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ Mailing List
https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg Mailing List
https://help.panic.com/releasenotes/transmit5/ Release Notes
https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/ Press/Media Coverage
https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html Mailing List
https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/ Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/ Mailing List Third Party Advisory
https://matt.ucc.asn.au/dropbear/CHANGES Release Notes
https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC Patch
https://news.ycombinator.com/item?id=38684904 Issue Tracking
https://news.ycombinator.com/item?id=38685286 Issue Tracking
https://news.ycombinator.com/item?id=38732005 Issue Tracking
https://nova.app/releases/#v11.8 Release Notes
https://oryx-embedded.com/download/#changelog Release Notes
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002 Third Party Advisory
https://roumenpetrov.info/secsh/#news20231220 Release Notes
https://security-tracker.debian.org/tracker/CVE-2023-48795 Vendor Advisory
https://security-tracker.debian.org/tracker/source-package/libssh2 Vendor Advisory
https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg Vendor Advisory
https://security-tracker.debian.org/tracker/source-package/trilead-ssh2 Issue Tracking
https://security.gentoo.org/glsa/202312-16 Third Party Advisory
https://security.gentoo.org/glsa/202312-17 Third Party Advisory
https://security.netapp.com/advisory/ntap-20240105-0004/ Third Party Advisory
https://support.apple.com/kb/HT214084 Third Party Advisory
https://thorntech.com/cve-2023-48795-and-sftp-gateway/ Third Party Advisory
https://twitter.com/TrueSkrillor/status/1736774389725565005 Press/Media Coverage
https://ubuntu.com/security/CVE-2023-48795 Vendor Advisory
https://winscp.net/eng/docs/history#6.2.2 Release Notes
https://www.bitvise.com/ssh-client-version-history#933 Release Notes
https://www.bitvise.com/ssh-server-version-history Release Notes
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html Release Notes
https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update Release Notes
https://www.debian.org/security/2023/dsa-5586 Issue Tracking
https://www.debian.org/security/2023/dsa-5588 Issue Tracking
https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc Release Notes
https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508 Vendor Advisory
https://www.netsarang.com/en/xshell-update-history/ Release Notes
https://www.openssh.com/openbsd.html Release Notes
https://www.openssh.com/txt/release-9.6 Release Notes
https://www.openwall.com/lists/oss-security/2023/12/18/2 Mailing List
https://www.openwall.com/lists/oss-security/2023/12/20/3 Mailing List Mitigation
https://www.paramiko.org/changelog.html Release Notes
https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/ Issue Tracking
https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/ Press/Media Coverage
https://www.terrapin-attack.com Exploit
https://www.theregister.com/2023/12/20/terrapin_attack_ssh Press/Media Coverage
https://www.vandyke.com/products/securecrt/history.txt Release Notes
https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html
https://lists.debian.org/debian-lts-announce/2024/11/msg00032.html
https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/
https://lists.fedoraproject.org/archives/list/[email protected]/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/
https://lists.fedoraproject.org/archives/list/[email protected]/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/
https://lists.fedoraproject.org/archives/list/[email protected]/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/
https://lists.fedoraproject.org/archives/list/[email protected]/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/
https://lists.fedoraproject.org/archives/list/[email protected]/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/
https://lists.fedoraproject.org/archives/list/[email protected]/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/
https://lists.fedoraproject.org/archives/list/[email protected]/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/
https://lists.fedoraproject.org/archives/list/[email protected]/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/
https://lists.fedoraproject.org/archives/list/[email protected]/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
https://lists.fedoraproject.org/archives/list/[email protected]/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
https://www.vicarius.io/vsociety/posts/cve-2023-48795-detect-openssh-vulnerabilit Exploit Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2023-48795-mitigate-openssh-vulnerability Exploit Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-082556.html
https://cert-portal.siemens.com/productcert/html/ssa-364175.html
https://cert-portal.siemens.com/productcert/html/ssa-769027.html
https://cert-portal.siemens.com/productcert/html/ssa-794697.html
https://cert-portal.siemens.com/productcert/html/ssa-915275.html
cvelogic Threat Intelligence