CVE-2019-14889: OS Command Injection
First published: Tue Dec 10 2019(Updated: )
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Libssh Libssh | <0.8.8 | |
| Libssh Libssh | >=0.9.0<0.9.3 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| openSUSE Leap | =15.1 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Debian Debian Linux | =8.0 | |
| Oracle Mysql Workbench | <=8.0.19 | |
| debian/libssh | 0.9.8-0+deb11u1 0.10.6-0+deb12u1 0.11.1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889
- https://lists.debian.org/debian-lts-announce/2019/12/msg00020.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00029.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7JJWJTXVWLLJTVHBPGWL7472S5FWXYQR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EV2ONSPDJCTDVORCB4UGRQUZQQ46JHRN/
- https://security.gentoo.org/glsa/202003-27
- https://usn.ubuntu.com/4219-1/
- https://www.libssh.org/security/advisories/CVE-2019-14889.txt
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JJWJTXVWLLJTVHBPGWL7472S5FWXYQR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EV2ONSPDJCTDVORCB4UGRQUZQQ46JHRN/
- https://launchpad.net/bugs/cve/CVE-2019-14889
- https://bugs.libssh.org/T181
- https://bugs.debian.org/947129
- https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d163a943737fe4160f7233925df2eee1f9a
- https://security-tracker.debian.org/tracker/CVE-2019-14889
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14889
- https://nvd.nist.gov/vuln/detail/CVE-2019-14889
- https://ubuntu.com/security/CVE-2019-14889
Frequently Asked Questions
What is CVE-2019-14889?
CVE-2019-14889 is a vulnerability found in the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, a user-provided path can execute a command on the server-side.
What is the severity of CVE-2019-14889?
The severity of CVE-2019-14889 is critical with a CVSS score of 8.8.
Which software versions are affected by CVE-2019-14889?
Versions before 0.9.3 and before 0.8.8 of libssh are affected. Additionally, Canonical Ubuntu Linux 16.04, 18.04, 19.04, 19.10, openSUSE Leap 15.1, Fedoraproject Fedora 30, 31, and Debian Debian Linux 8.0 are affected as well.
How can I fix CVE-2019-14889?
To fix CVE-2019-14889, users should update to version 0.9.3 or later of libssh.
Where can I find more information about CVE-2019-14889?
You can find more information about CVE-2019-14889 at the following references: [1](http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html), [2](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html), [3](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889)
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/remedy
- agent/first-publish-date
- agent/description
- agent/references
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/event
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/libssh
- canonical/libssh libssh
- version/libssh libssh/0.9.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- version/canonical ubuntu linux/19.10
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/oracle
- canonical/oracle mysql workbench
- version/oracle mysql workbench/8.0.19
- package-manager/debian