PT-2019-5374 · Libssh+7 · Libssh+7
Khaled Sakr
·
Publicado
2019-12-05
·
Atualizado
2024-06-15
·
CVE-2019-14889
CVSS v2.0
9.3
Alta
| Vetor | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
libssh versions prior to 0.9.3
libssh versions prior to 0.8.8
Description
A flaw was found in the libssh API function
ssh scp new() that allows an attacker to inject arbitrary commands when the libssh SCP client connects to a server. This is possible if the library is used in a way where users can influence the third parameter of the ssh scp new() function, leading to a compromise of the remote target. The issue is related to the lack of data sanitization at the management level, which can allow a remote attacker to execute arbitrary code.Recommendations
For versions prior to 0.9.3, update to version 0.9.3 or later to resolve the issue.
For versions prior to 0.8.8, update to version 0.8.8 or later to resolve the issue.
As a temporary workaround, consider restricting the use of the
ssh scp new() function until a patch is available.Correção
OS Command Injection
Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Astra Linux
Centos
Red Hat
Rocky Linux
Suse
Ubuntu
Libssh