CVE-2019-3855
critical
CVSS v3
—
CVSS v2
—
VIR risk
9.5
Description
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2019-3855
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2019-3855.html
Vendor advisory: arch — https://security.archlinux.org/ASA-201903-12
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 1.8.1-1 | |
| sles | affected | | |
| debian | bookworm | fixed | 1.8.0-2.1 |
| debian | bullseye | fixed | 1.8.0-2.1 |
| debian | forky | fixed | 1.8.0-2.1 |
| debian | sid | fixed | 1.8.0-2.1 |
| debian | trixie | fixed | 1.8.0-2.1 |
References
Verify integrity in audit chain (admin only). AS-IS.