ALT Linux Team

Package libssh update in sisyphus on 2019-12-11

ALT-PU-2019-3261-1

Package libssh updated to version 0.9.3-alt1 for branch sisyphus in task 242717.

Closed vulnerabilities

Published: 2020-04-15

BDU:2020-02642

Уязвимость функции ssh_scp_new() библиотеки libssh, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (7.1) Vector: AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH (8.5) Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C
References:
Published: 2019-12-10
Modified: 2024-11-21

CVE-2019-14889

A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

Severity: CRITICAL (9.3) Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top