First published: Mon Mar 25 2019(Updated: )
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/libssh2 | 1.8.0-2.1 1.8.0-2.1+deb10u1 1.9.0-2 1.10.0-3 1.11.0-2 | |
Libssh2 Libssh2 | >=0.3<=1.8.0 | |
Debian Debian Linux | =8.0 | |
NetApp ONTAP Select Deploy administration utility | ||
openSUSE Leap | =15.0 | |
openSUSE Leap | =42.3 | |
>=0.3<=1.8.0 | ||
=8.0 | ||
=15.0 | ||
=42.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2019-3860.
The severity of CVE-2019-3860 is critical, with a severity value of 9.1.
The affected software for CVE-2019-3860 includes libssh2 before version 1.8.1, Debian Linux version 8.0, NetApp ONTAP Select Deploy administration utility, and openSUSE Leap versions 15.0 and 42.3.
An attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
Yes, the fix for CVE-2019-3860 is to upgrade libssh2 to version 1.8.1 or later.