CVE-2018-7750 — CRITICAL (9.8)

Q: How severe is CVE-2018-7750?

CVE-2018-7750 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2018-7750?

Check the references section above for vendor advisories and patch information. Affected products include: Paramiko Paramiko, Redhat Ansible Engine, Redhat Cloudforms, Redhat Virtualization, Redhat Enterprise Linux Desktop.

Vulnerability Description

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Paramiko	Paramiko	< 1.17.6
Redhat	Ansible Engine	2.0
Redhat	Cloudforms	4.5
Redhat	Virtualization	4.1
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	6.4
Redhat	Enterprise Linux Server Eus	6.7
Redhat	Enterprise Linux Server Tus	6.6
Redhat	Enterprise Linux Workstation	6.0
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-287

References

http://www.securityfocus.com/bid/103713Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:0591Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0646Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1124Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1125Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1213Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1274Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1328Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1525Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1972Third Party Advisory
https://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rstThird Party Advisory
https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b461PatchThird Party Advisory
https://github.com/paramiko/paramiko/issues/1175Issue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/10/msg00018.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00025.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2018-7750?

CVE-2018-7750 is a vulnerability with a CVSS score of 9.8 (CRITICAL). transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 do...

How severe is CVE-2018-7750?

CVE-2018-7750 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-7750?

Check the references section above for vendor advisories and patch information. Affected products include: Paramiko Paramiko, Redhat Ansible Engine, Redhat Cloudforms, Redhat Virtualization, Redhat Enterprise Linux Desktop.