Описание
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
| Релиз | Статус | Примечание |
|---|---|---|
| artful | released | 2.0.0-1ubuntu0.1 |
| devel | released | 2.0.0-1ubuntu1 |
| esm-infra-legacy/trusty | released | 1.10.1-1git1ubuntu0.1 |
| esm-infra/xenial | released | 1.16.0-1ubuntu0.1 |
| precise/esm | not-affected | 1.7.7.1-2ubuntu1.1 |
| trusty | released | 1.10.1-1git1ubuntu0.1 |
| trusty/esm | released | 1.10.1-1git1ubuntu0.1 |
| upstream | needs-triage | |
| xenial | released | 1.16.0-1ubuntu0.1 |
Показывать по
EPSS
7.5 High
CVSS2
9.8 Critical
CVSS3
Связанные уязвимости
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
transport.py in the SSH server implementation of Paramiko before 1.17. ...
EPSS
7.5 High
CVSS2
9.8 Critical
CVSS3