OpenSSH has vulnerabilities CVE-2023-51384 and CVE-2023-51385 which are resolved in version 9.6 and above. According to the Third Party License Acknowledgments page in the Privileged Access Manager documentation, OpenSSH 7.6p1 is used. Is PAM impacted by these two vulnerabilities?

Privileged Access Manager, 4.1.x

PAM is not impacted by either vulnerability for the following reasons.

For CVE-2023-51384, the OpenSSH ssh-agent client code which is vulnerable is not used within the PAM software.
For CVE-2023-51385, the vulnerable ProxyCommand component is disabled by default in OpenSSH and PAM does not enable it.