CVE-2016-0787

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2016-0787

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-0787.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2016-0787

Downstream

ALPINE-CVE-2016-0787

DEBIAN-CVE-2016-0787

DLA-426-1

DSA-3487-1

RHSA-2016:0428

SUSE-SU-2016:0718-1

SUSE-SU-2016:0723-1

SUSE-SU-2017:2699-1

SUSE-SU-2017:2700-1

UBUNTU-CVE-2016-0787

openSUSE-SU-2024:10190-1

Related

Published

2016-04-13T17:59:10Z

Modified

2025-10-07T22:44:39.172924Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

The diffiehellmansha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug."

References

Affected packages

Git / github.com/libssh2/libssh2

Affected ranges

Type: GIT
Repo: https://github.com/libssh2/libssh2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

cbd5f72339dae6bfc587f4486f4349dd1d61f9b7

Affected versions

RELEASE.*

RELEASE.0.1

RELEASE.0.10

RELEASE.0.11

RELEASE.0.12

RELEASE.0.13

RELEASE.0.14

RELEASE.0.15

RELEASE.0.16

RELEASE.0.17

RELEASE.0.18

RELEASE.0.3

RELEASE.0.5

RELEASE.0.6

RELEASE.0.7

RELEASE.0.8

RELEASE.1.0

RELEASE.1.1

beforenb-0.*

beforenb-0.14

beforenb2-0.*

beforenb2-0.14

libssh2-1.*

libssh2-1.2

libssh2-1.2.1

libssh2-1.2.2

libssh2-1.2.3

libssh2-1.2.4

libssh2-1.2.5

libssh2-1.2.6

libssh2-1.2.7

libssh2-1.2.8

libssh2-1.2.9

libssh2-1.3.0

libssh2-1.4.0

libssh2-1.4.1

libssh2-1.4.2

libssh2-1.4.3

libssh2-1.5.0

libssh2-1.6.0