PT-2019-5374 · Libssh+7 · Libssh+7
Khaled Sakr
·
Published
2019-12-05
·
Updated
2024-06-15
·
CVE-2019-14889
CVSS v2.0
9.3
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
libssh versions prior to 0.9.3
libssh versions prior to 0.8.8
Description
A flaw was found in the libssh API function
ssh scp new() that allows an attacker to inject arbitrary commands when the libssh SCP client connects to a server. This is possible if the library is used in a way where users can influence the third parameter of the ssh scp new() function, leading to a compromise of the remote target. The issue is related to the lack of data sanitization at the management level, which can allow a remote attacker to execute arbitrary code.Recommendations
For versions prior to 0.9.3, update to version 0.9.3 or later to resolve the issue.
For versions prior to 0.8.8, update to version 0.8.8 or later to resolve the issue.
As a temporary workaround, consider restricting the use of the
ssh scp new() function until a patch is available.Fix
OS Command Injection
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Centos
Red Hat
Rocky Linux
Suse
Ubuntu
Libssh