CVE-2023-51384: 
NixOS vulnerability analysis and mitigation

CVE-2023-51384 affects ssh-agent in OpenSSH versions before 9.6. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys (OpenSSH Release, NVD).

The vulnerability is a logic error in the ssh-agent component where destination constraints are incompletely applied to PKCS#11-hosted private keys. The issue only affects cases where destination constraints are specified and multiple keys are returned from a PKCS#11 token. Regular private keys, FIDO tokens, and unconstrained keys are not affected. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could lead to unauthorized access as destination constraints meant to limit key usage are not properly applied to all PKCS#11-hosted keys returned by a token. This means additional keys could be used without the intended restrictions (OpenSSH Release).

The issue has been fixed in OpenSSH 9.6. Users should upgrade to this version or later to address the vulnerability. The fix ensures destination constraints are properly applied to all keys returned by PKCS#11 tokens (OpenSSH Release, Debian Advisory).