Memory Corruption Flaw in Libssh2 Affects Multiple Platforms
CVE-2019-3863

7.5HIGH

Key Information:

Vendor: The Libssh2 Project
Status: Libssh2
Vendor: CVE Published:; 25 March 2019

🔔 Create The Libssh2 Project Vulnerability Alert

What is CVE-2019-3863?

A vulnerability in libssh2 versions prior to 1.8.1 allows a server to exploit a flaw where multiple keyboard interactive response messages can exceed the maximum length determined by an unsigned char. This situation can lead to an out of bounds memory write, potentially enabling an attacker to execute arbitrary code or crash the application.

Affected Version(s)

libssh2 1.8.1

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863

x_refsource_CONFIRM

https://www.libssh2.org/CVE-2019-3863.html

x_refsource_MISC

https://lists.debian.org/debian-lts-announce/2019/03/msg0...

mailing-listx_refsource_MLIST

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2019
Vulnerability Reserved
Jan 3, 2019

CVE-2019-3863 Data

JSON