CVE-2019-3856
critical
CVSS v3
—
CVSS v2
—
VIR risk
9.5
Description
An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2019-3856
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2019-3856.html
Vendor advisory: arch — https://security.archlinux.org/ASA-201903-12
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 1.8.1-1 | |
| sles | affected | | |
| debian | bookworm | fixed | 1.8.0-2.1 |
| debian | bullseye | fixed | 1.8.0-2.1 |
| debian | forky | fixed | 1.8.0-2.1 |
| debian | sid | fixed | 1.8.0-2.1 |
| debian | trixie | fixed | 1.8.0-2.1 |
References
Verify integrity in audit chain (admin only). AS-IS.