Integer Overflow Vulnerability in libssh2 Affects Multiple Vendors
CVE-2019-3856

7.5HIGH

Key Information:

Vendor: The Libssh2 Project
Status: Libssh2
Vendor: CVE Published:; 25 March 2019

🔔 Create The Libssh2 Project Vulnerability Alert

What is CVE-2019-3856?

An integer overflow vulnerability in libssh2 allows a remote attacker to create malicious keyboard prompts that, when handled by a client, can result in an out-of-bounds write. This could lead to arbitrary code execution on the client’s system. Users connecting to compromised SSH servers are particularly at risk, necessitating immediate updates to versions earlier than 1.8.1 to mitigate potential exploitation.

Affected Version(s)

libssh2 1.8.1

References

https://www.libssh2.org/CVE-2019-3856.html

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3856

x_refsource_CONFIRM

https://lists.debian.org/debian-lts-announce/2019/03/msg0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2019
Vulnerability Reserved
Jan 3, 2019

CVE-2019-3856 Data

JSON