PT-2019-6253 · Libssh2+6 · Libssh2+6
Kevin Backhouse
·
Published
2019-07-01
·
Updated
2025-10-27
·
CVE-2019-17498
CVSS v2.0
8.8
High
| Vector | AV:N/AC:M/Au:N/C:C/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
libssh2 versions 1.9.0 and earlier
Description
The issue is related to an integer overflow in the SSH MSG DISCONNECT logic in packet.c, which enables an attacker to specify an arbitrary offset for a subsequent memory read. This could allow a crafted SSH server to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
Recommendations
For libssh2 versions 1.9.0 and earlier, consider disabling the
packet.c component until a patch is available to prevent potential exploitation. Restrict access to the SSH server to minimize the risk of sensitive information disclosure or denial of service. As a temporary workaround, avoid using the vulnerable packet.c logic in the SSH MSG DISCONNECT handling until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
DoS
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Centos
Red Hat
Suse
Ubuntu
Libssh2