Monkeysphere version 0.31 introduced a vulnerability which could allow an arbitrary code execution attack as the 'monkeysphere' system account, if the superuser were to run the command "monkeysphere-authentication keys-for-user". Depending on the configuration of the host, access to this system account can potentially grant access to other accounts.

The problem also existed in version 0.32 but was resolved in version 0.33. Versions prior to 0.31 were not affected.

If you are running one of the versions with this issue, it is highly recommended that you update as soon as possible.

A CVE reference identifier was released for this issue: CVE-2010-4096

For more information, please see the mailing list post about the issue