CVE-2018-3737
First published: Fri Apr 13 2018(Updated: )
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Joyent Sshpk | <=1.13.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-3737?
CVE-2018-3737 is a vulnerability in sshpk that allows for ReDoS attacks when parsing crafted invalid public keys.
How severe is CVE-2018-3737?
CVE-2018-3737 has a severity rating of high, with a severity value of 7.5.
What software is affected by CVE-2018-3737?
The following software versions are affected by CVE-2018-3737: sshpk 1.14.1, sshpk 1.3.2, and Joyent Sshpk up to version 1.13.1.
How can I fix CVE-2018-3737?
To fix CVE-2018-3737, update sshpk to version 1.14.1 (for sshpk 1.14.1), version 1.3.2 (for sshpk 1.3.2), or a version later than 1.13.1 (for Joyent Sshpk).
Where can I find more information about CVE-2018-3737?
You can find more information about CVE-2018-3737 at the following references: [GitHub Issue](https://github.com/joyent/node-sshpk/issues/44), [GitHub Commit](https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957), [HackerOne Report](https://hackerone.com/reports/319593).
- collector/nvd-index
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/references
- agent/softwarecombine
- agent/author
- agent/description
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-3737
- agent/software-canonical-lookup
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- vendor/joyent
- canonical/joyent sshpk
- version/joyent sshpk/1.13.1
- package-manager/redhat