CVE-2019-3858 — MEDIUM (5.0)

Q: How severe is CVE-2019-3858?

CVE-2019-3858 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-3858?

Check the references section above for vendor advisories and patch information. Affected products include: Libssh2 Libssh2, Fedoraproject Fedora, Debian Debian Linux, Netapp Ontap Select Deploy Administration Utility, Opensuse Leap.

Vulnerability Description

An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS Score

5.0

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Libssh2	Libssh2	< 1.8.1
Fedoraproject	Fedora	29
Debian	Debian Linux	8.0
Netapp	Ontap Select Deploy Administration Utility	-
Opensuse	Leap	15.0

Related Weaknesses (CWE)

CWE-125

References

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.htmlThird Party Advisory
http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Third Party AdvisoryVDB Entry
http://www.openwall.com/lists/oss-security/2019/03/18/3Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/107485Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:2136
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3858Issue TrackingPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00032.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2019/Apr/25
https://seclists.org/bugtraq/2019/Mar/25Mailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20190327-0005/Third Party Advisory
https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brThird Party Advisory
https://www.debian.org/security/2019/dsa-4431

FAQ

What is CVE-2019-3858?

CVE-2019-3858 is a vulnerability with a CVSS score of 5.0 (MEDIUM). An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause ...

How severe is CVE-2019-3858?

CVE-2019-3858 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-3858?

Check the references section above for vendor advisories and patch information. Affected products include: Libssh2 Libssh2, Fedoraproject Fedora, Debian Debian Linux, Netapp Ontap Select Deploy Administration Utility, Opensuse Leap.