CVE-2019-3863
7.5
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
A flaw was found in libssh2 before 1.8.1 creating a vulnerability on the SSH client side. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used by the SSH client as an index to copy memory causing in an out of bounds memory write error.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| The libssh2 Project | libssh2 | 1.8.1 | affected |
Weaknesses
- CWE-190: CWE-190
- CWE-787: CWE-787
ADP Enrichment
CVE Program Container
Additional References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863
- https://www.libssh2.org/CVE-2019-3863.html
- https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html
- https://security.netapp.com/advisory/ntap-20190327-0005/
- https://access.redhat.com/errata/RHSA-2019:0679
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
- https://www.debian.org/security/2019/dsa-4431
- https://seclists.org/bugtraq/2019/Apr/25
- https://access.redhat.com/errata/RHSA-2019:1175
- https://access.redhat.com/errata/RHSA-2019:1652
- https://access.redhat.com/errata/RHSA-2019:1791
- https://access.redhat.com/errata/RHSA-2019:1943
- https://access.redhat.com/errata/RHSA-2019:2399
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863
- https://www.libssh2.org/CVE-2019-3863.html
- https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html
- https://security.netapp.com/advisory/ntap-20190327-0005/
- https://access.redhat.com/errata/RHSA-2019:0679
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
- https://www.debian.org/security/2019/dsa-4431
- https://seclists.org/bugtraq/2019/Apr/25
- https://access.redhat.com/errata/RHSA-2019:1175
- https://access.redhat.com/errata/RHSA-2019:1652
- https://access.redhat.com/errata/RHSA-2019:1791
- https://access.redhat.com/errata/RHSA-2019:1943
- https://access.redhat.com/errata/RHSA-2019:2399
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.