CVE-2023-6918 — LOW (3.7) — White Hats Nepal

Q: How severe is CVE-2023-6918?

CVE-2023-6918 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-6918?

Check the references section above for vendor advisories and patch information. Affected products include: Libssh Libssh, Fedoraproject Fedora, Redhat Enterprise Linux.

Vulnerability Description

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Libssh	Libssh	>= 0.9.0, < 0.9.8
Fedoraproject	Fedora	38
Redhat	Enterprise Linux	8.0

Related Weaknesses (CWE)

CWE-252

References

https://access.redhat.com/errata/RHSA-2024:2504
https://access.redhat.com/errata/RHSA-2024:3233
https://access.redhat.com/security/cve/CVE-2023-6918Mailing ListVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2254997Issue TrackingThird Party Advisory
https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releasRelease Notes
https://www.libssh.org/security/advisories/CVE-2023-6918.txtVendor Advisory
https://access.redhat.com/errata/RHSA-2024:2504
https://access.redhat.com/errata/RHSA-2024:3233
https://access.redhat.com/security/cve/CVE-2023-6918Mailing ListVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2254997Issue TrackingThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]
https://lists.fedoraproject.org/archives/list/[email protected]
https://security.netapp.com/advisory/ntap-20250214-0009/
https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releasRelease Notes
https://www.libssh.org/security/advisories/CVE-2023-6918.txtVendor Advisory

FAQ

What is CVE-2023-6918?

CVE-2023-6918 is a vulnerability with a CVSS score of 3.7 (LOW). A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, ...

How severe is CVE-2023-6918?

CVE-2023-6918 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-6918?

Check the references section above for vendor advisories and patch information. Affected products include: Libssh Libssh, Fedoraproject Fedora, Redhat Enterprise Linux.