Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2019-14889

Опубликовано: 10 дек. 2019
Источник: debian

Описание

A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
libsshfixed0.9.3-1package

Примечания

  • https://www.libssh.org/security/advisories/CVE-2019-14889.txt

  • https://bugs.libssh.org/T181

  • The fix in libssh makes an update in x2goclient necessary, cf:

  • https://bugs.debian.org/947129

  • https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d163a943737fe4160f7233925df2eee1f9a

Связанные уязвимости

ubuntu логотип

CVE-2019-14889

CVSS3: 8.8
ubuntu
около 6 лет назад

A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

redhat логотип

CVE-2019-14889

CVSS3: 7.1
redhat
около 6 лет назад

A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

nvd логотип

CVE-2019-14889

CVSS3: 8.8
nvd
около 6 лет назад

A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

suse-cvrf логотип

openSUSE-SU-2020:0102-1

suse-cvrf
почти 6 лет назад

Security update for libssh

suse-cvrf логотип

openSUSE-SU-2019:2689-1

suse-cvrf
почти 6 лет назад

Security update for libssh