Out of Bounds Read Vulnerability in libssh2 Affects SSH Servers
CVE-2019-3860

5MEDIUM

Key Information:

Vendor

The Libssh2 Project

Status
Libssh2
Vendor
CVE Published:
25 March 2019

What is CVE-2019-3860?

An out of bounds read flaw in libssh2, present in versions prior to 1.8.1, may lead to significant security risks. This vulnerability occurs during the parsing of SFTP packets that have empty payloads, allowing remote attackers who gain access to an SSH server to potentially exploit the flaw. Successful exploitation could result in a Denial of Service condition or unauthorized access to sensitive information stored in client memory. It is crucial for users and administrators to update to newer versions to safeguard against such possible attacks.

Affected Version(s)

libssh2 1.8.1

References

https://www.libssh2.org/CVE-2019-3860.html
x_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3860
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2019/03/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.