CVE-2019-13115

Name of the Vulnerable Software and Affected Versions libssh2 versions prior to 1.9.0

Description The issue is related to an integer overflow in the kex method diffie hellman group exchange sha256 key exchange function of the kex.c component in the Libssh2 library, which implements the SSH2 protocol. This overflow could lead to an out-of-bounds read when packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

Recommendations For versions prior to 1.9.0, update to version 1.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to SSH servers until the update is applied. Avoid using the kex method diffie hellman group exchange sha256 key exchange function in the affected libssh2 library until the issue is resolved.