CVE-2019-14889: OS Command Injection
First published: Tue Dec 10 2019(Updated: )
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/libssh | 0.9.8-0+deb11u1 0.10.6-0+deb12u1 0.11.1-1 | |
| Ubuntu | <0.8.8 | |
| Ubuntu | >=0.9.0<0.9.3 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =19.04 | |
| Ubuntu Linux | =19.10 | |
| openSUSE | =15.1 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Debian GNU/Linux | =8.0 | |
| oracle mysql workbench | <=8.0.19 | |
| libssh | <0.8.8 | |
| libssh | >=0.9.0<0.9.3 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.04 | |
| Ubuntu | =19.10 | |
| SUSE Linux | =15.1 | |
| Fedora | =30 | |
| Fedora | =31 | |
| Debian | =8.0 | |
| Oracle MySQL Workbench CE | <=8.0.19 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889
- https://lists.debian.org/debian-lts-announce/2019/12/msg00020.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00029.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7JJWJTXVWLLJTVHBPGWL7472S5FWXYQR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EV2ONSPDJCTDVORCB4UGRQUZQQ46JHRN/
- https://security.gentoo.org/glsa/202003-27
- https://usn.ubuntu.com/4219-1/
- https://www.libssh.org/security/advisories/CVE-2019-14889.txt
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JJWJTXVWLLJTVHBPGWL7472S5FWXYQR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EV2ONSPDJCTDVORCB4UGRQUZQQ46JHRN/
- https://launchpad.net/bugs/cve/CVE-2019-14889
- https://bugs.libssh.org/T181
- https://bugs.debian.org/947129
- https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d163a943737fe4160f7233925df2eee1f9a
- https://security-tracker.debian.org/tracker/CVE-2019-14889
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14889
- https://nvd.nist.gov/vuln/detail/CVE-2019-14889
- https://ubuntu.com/security/CVE-2019-14889
Frequently Asked Questions
What is CVE-2019-14889?
CVE-2019-14889 is a vulnerability found in the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, a user-provided path can execute a command on the server-side.
What is the severity of CVE-2019-14889?
The severity of CVE-2019-14889 is critical with a CVSS score of 8.8.
Which software versions are affected by CVE-2019-14889?
Versions before 0.9.3 and before 0.8.8 of libssh are affected. Additionally, Canonical Ubuntu Linux 16.04, 18.04, 19.04, 19.10, openSUSE Leap 15.1, Fedoraproject Fedora 30, 31, and Debian Debian Linux 8.0 are affected as well.
How can I fix CVE-2019-14889?
To fix CVE-2019-14889, users should update to version 0.9.3 or later of libssh.
Where can I find more information about CVE-2019-14889?
You can find more information about CVE-2019-14889 at the following references: [1](http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html), [2](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html), [3](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889)
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/event
- agent/description
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- package-manager/debian
- vendor/libssh
- canonical/ubuntu
- version/ubuntu/0.9.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/19.04
- version/ubuntu linux/19.10
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- vendor/oracle
- canonical/oracle mysql workbench
- version/oracle mysql workbench/8.0.19
- canonical/libssh
- version/libssh/0.9.0
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/19.04
- version/ubuntu/19.10
- canonical/suse linux
- version/suse linux/15.1
- canonical/fedora
- version/fedora/30
- version/fedora/31
- canonical/debian
- version/debian/8.0
- canonical/oracle mysql workbench ce
- version/oracle mysql workbench ce/8.0.19