MidnightBSD

Advisories for libssh2

CVE-2015-1782 MEDIUM

The kex_agree_methods function in libssh2 before 1.5.0 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
fedoraproject fedora 22
debian debian_linux 7.0
fedoraproject fedora 21
libssh2 libssh2 *
fedoraproject fedora 20
CVE-2016-0787 MEDIUM

The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
fedoraproject fedora 22
fedoraproject fedora 23
debian debian_linux 7.0
opensuse opensuse 13.2
libssh2 libssh2 *
debian debian_linux 8.0
CVE-2019-13115 MEDIUM

In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-190,

Products Affected

Vendor Product Version
debian debian_linux 9.0
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 30
f5 traffix_systems_signaling_delivery_controller *
libssh2 libssh2 *
debian debian_linux 8.0
netapp cloud_backup -
fedoraproject fedora 29
netapp e-series_santricity_os_controller *
CVE-2019-17498 MEDIUM

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
debian debian_linux 9.0
fedoraproject fedora 31
fedoraproject fedora 30
netapp hci_management_node -
netapp solidfire -
libssh2 libssh2 *
debian debian_linux 8.0
netapp ontap_select_deploy_administration_utility -
opensuse leap 15.1
netapp bootstrap_os -
netapp element_software -
netapp active_iq_unified_manager -
CVE-2019-3855 HIGH

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-787,CWE-190,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 9.0
opensuse leap 42.3
fedoraproject fedora 30
oracle peoplesoft_enterprise_peopletools 8.57
redhat enterprise_linux_server 7.0
libssh2 libssh2 *
fedoraproject fedora 28
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
fedoraproject fedora 29
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.6
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 8.0
apple xcode *
oracle peoplesoft_enterprise_peopletools 8.56
CVE-2019-3856 MEDIUM

An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-787,CWE-190,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 9.0
opensuse leap 42.3
oracle peoplesoft_enterprise_peopletools 8.57
redhat enterprise_linux_server 7.0
opensuse leap 15.0
libssh2 libssh2 *
fedoraproject fedora 28
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.6
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 8.0
oracle peoplesoft_enterprise_peopletools 8.56
CVE-2019-3857 MEDIUM

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-787,CWE-190,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 9.0
opensuse leap 42.3
oracle peoplesoft_enterprise_peopletools 8.57
redhat enterprise_linux_server 7.0
opensuse leap 15.0
libssh2 libssh2 *
fedoraproject fedora 28
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.6
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 8.0
oracle peoplesoft_enterprise_peopletools 8.56
CVE-2019-3858 MEDIUM

An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
opensuse leap 42.3
opensuse leap 15.0
libssh2 libssh2 *
debian debian_linux 8.0
fedoraproject fedora 29
CVE-2019-3859 MEDIUM

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
debian debian_linux 9.0
netapp ontap_select_deploy_administration_utility -
opensuse leap 42.3
opensuse leap 15.0
libssh2 libssh2 *
fedoraproject fedora 28
debian debian_linux 8.0
fedoraproject fedora 29
CVE-2019-3860 MEDIUM

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
opensuse leap 42.3
opensuse leap 15.0
libssh2 libssh2 *
debian debian_linux 8.0
CVE-2019-3861 MEDIUM

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
opensuse leap 42.3
opensuse leap 15.0
libssh2 libssh2 *
debian debian_linux 8.0
CVE-2019-3862 MEDIUM

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-130,CWE-125,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
opensuse leap 42.3
libssh2 libssh2 *
debian debian_linux 8.0
fedoraproject fedora 29
CVE-2019-3863 MEDIUM

A flaw was found in libssh2 before 1.8.1 creating a vulnerability on the SSH client side. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used by the SSH client as an index to copy memory causing in an out of bounds memory write error.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.6
netapp ontap_select_deploy_administration_utility -
opensuse leap 42.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_tus 7.6
opensuse leap 15.0
libssh2 libssh2 *
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
CVE-2020-22218

An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
libssh2 libssh2 1.10.0
CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

Products Affected

Vendor Product Version
redhat storage 3.0
redhat openshift_api_for_data_protection -
crushftp crushftp *
winscp winscp *
tera_term_project tera_term *
netgate pfsense_plus *
redhat advanced_cluster_security 3.0
russh_project russh *
lancom-systems lcos_sx 4.20
lancom-systems lanconfig -
redhat discovery -
microsoft powershell *
openbsd openssh *
netgate pfsense_ce *
proftpd proftpd *
panic transmit_5 *
filezilla-project filezilla_client *
redhat openshift_gitops -
redhat openshift_virtualization 4
paramiko paramiko *
apache sshd *
panic nova *
jadaptive maverick_synergy_java_ssh_api *
dropbear_ssh_project dropbear_ssh *
redhat keycloak -
redhat openstack_platform 17.1
erlang erlang/otp *
debian debian_linux 10.0
ssh2_project ssh2 *
redhat openstack_platform 16.1
redhat openshift_data_foundation 4.0
bitvise ssh_server *
fedoraproject fedora 39
roumenpetrov pkixssh *
redhat openshift_container_platform 4.0
kitty_project kitty *
libssh2 libssh2 *
redhat openshift_developer_tools_and_services -
fedoraproject fedora 38
asyncssh_project asyncssh *
redhat openshift_dev_spaces -
netsarang xshell_7 *
redhat ceph_storage 6.0
trilead ssh2 6401
redhat openshift_pipelines -
bitvise ssh_client *
libssh libssh *
lancom-systems lcos_fx -
redhat single_sign-on 7.0
redhat cert-manager_operator_for_red_hat_openshift -
redhat advanced_cluster_security 4.0
matez jsch *
redhat enterprise_linux 8.0
redhat jboss_enterprise_application_platform 7.0
redhat openshift_serverless -
crates thrussh *
connectbot sshlib *
putty putty *
lancom-systems lcos *
vandyke securecrt *
net-ssh net-ssh 7.2.0
lancom-systems lcos_sx 5.20
redhat openstack_platform 16.2
redhat enterprise_linux 9.0
lancom-systems lcos_lx -
golang crypto *
sftpgo_project sftpgo *
thorntech sftp_gateway_firmware *
apache sshj *
freebsd freebsd *
oryx-embedded cyclone_ssh *
ssh ssh *
gentoo security -
apple macos *
tinyssh tinyssh *