CVE-2019-3859 — CRITICAL (9.1)

Q: How severe is CVE-2019-3859?

CVE-2019-3859 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-3859?

Check the references section above for vendor advisories and patch information. Affected products include: Libssh2 Libssh2, Fedoraproject Fedora, Debian Debian Linux, Netapp Ontap Select Deploy Administration Utility, Opensuse Leap.

Vulnerability Description

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libssh2	Libssh2	< 1.8.1
Fedoraproject	Fedora	28
Debian	Debian Linux	8.0
Netapp	Ontap Select Deploy Administration Utility	-
Opensuse	Leap	15.0

Related Weaknesses (CWE)

CWE-125

References

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00102.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00103.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-PatchThird Party AdvisoryVDB Entry
http://www.openwall.com/lists/oss-security/2019/03/18/3Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/107485Third Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3859Issue TrackingPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00032.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00006.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2019/Apr/25Mailing ListThird Party Advisory
https://seclists.org/bugtraq/2019/Mar/25Mailing ListPatchThird Party Advisory

FAQ

What is CVE-2019-3859?

CVE-2019-3859 is a vulnerability with a CVSS score of 9.1 (CRITICAL). An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to c...

How severe is CVE-2019-3859?

CVE-2019-3859 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-3859?

Check the references section above for vendor advisories and patch information. Affected products include: Libssh2 Libssh2, Fedoraproject Fedora, Debian Debian Linux, Netapp Ontap Select Deploy Administration Utility, Opensuse Leap.