CVE-2019-17498

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-17498
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17498.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-17498
Downstream
Related
Published
2019-10-21T22:15:10Z
Modified
2025-09-19T10:46:24.165750Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVSS Calculator
Summary
[none]
Details

In libssh2 v1.9.0 and earlier versions, the SSHMSGDISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

References

Affected packages

Alpine:v3.10

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.11

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.12

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.13

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.14

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.15

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.16

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.17

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.18

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.19

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.20

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.21

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.22

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.8.2-r1
1.9.0-r0

Alpine:v3.9

libssh2

Package

Name
libssh2
Purl
pkg:apk/alpine/libssh2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-r1

Affected versions

1.*

1.2.8-r0
1.2.9-r0
1.3.0-r0
1.4.0-r0
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.0-r1
1.7.0-r2
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.0-r4
1.8.1-r0
1.8.2-r0
1.9.0-r0

Git

github.com/libssh2/libssh2

Affected ranges

Type
GIT
Repo
https://github.com/libssh2/libssh2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
dedcbd106f8e52d5586b0205bc7677e4c9868f9c

Affected versions

RELEASE.*

RELEASE.0.1
RELEASE.0.10
RELEASE.0.11
RELEASE.0.12
RELEASE.0.13
RELEASE.0.14
RELEASE.0.15
RELEASE.0.16
RELEASE.0.17
RELEASE.0.18
RELEASE.0.3
RELEASE.0.5
RELEASE.0.6
RELEASE.0.7
RELEASE.0.8
RELEASE.1.0
RELEASE.1.1

beforenb-0.*

beforenb-0.14

beforenb2-0.*

beforenb2-0.14

libssh2-1.*

libssh2-1.2
libssh2-1.2.1
libssh2-1.2.2
libssh2-1.2.3
libssh2-1.2.4
libssh2-1.2.5
libssh2-1.2.6
libssh2-1.2.7
libssh2-1.2.8
libssh2-1.2.9
libssh2-1.3.0
libssh2-1.4.0
libssh2-1.4.1
libssh2-1.4.2
libssh2-1.4.3
libssh2-1.5.0
libssh2-1.6.0
libssh2-1.7.0
libssh2-1.8.0
libssh2-1.9.0

Database specific 

{
    "vanir_signatures": [
        {
            "source": "https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c",
            "signature_version": "v1",
            "signature_type": "Function",
            "deprecated": false,
            "target": {
                "file": "src/packet.c",
                "function": "_libssh2_packet_add"
            },
            "digest": {
                "function_hash": "261505088534266311445285255293331755792",
                "length": 12097.0
            },
            "id": "CVE-2019-17498-4ecb2cf7"
        },
        {
            "source": "https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c",
            "signature_version": "v1",
            "signature_type": "Line",
            "deprecated": false,
            "target": {
                "file": "src/packet.c"
            },
            "digest": {
                "line_hashes": [
                    "134169250891193118529304932879379553847",
                    "205310250524678314934555577121318039325",
                    "153129567552562233549023166857273037888",
                    "178571371398251300229519893039166702638",
                    "72145293158586770308147922030597846856",
                    "26729110877010587858654623724348773108",
                    "49362216656574584973624410357610951344",
                    "321298245864012238897609765862223817780",
                    "35928507602771519079905685860166519231",
                    "154500373189842991817102946133806428940",
                    "165260082386745301364993297193505505821",
                    "224084172619535272672790341246973090398",
                    "5356660278860416646992393454495665580",
                    "215185288519949424268549841841085459888",
                    "41027521565758756400721139453438296743",
                    "261770080105454089080864056643957326646",
                    "112577356930656868917282695859156546607",
                    "266091588552765774451985637383685229894",
                    "161769171353065646776261864065306578590",
                    "106289505878685820278644300603721530175",
                    "239192671667185276821494449931361882054",
                    "119841806266198942322557246315210598842",
                    "185703913995006478349460337437414305001",
                    "162441443838476641014842705979708130684",
                    "183245701107550523990847736687199011265",
                    "50426275079859766355449435496213490799",
                    "324037346491845418402829931648401701867",
                    "179688840526055267239603553007128508269",
                    "264669166455797101183041518857048771469",
                    "44646834277421589325966971756374060949",
                    "82508341436968592692150147669647547214",
                    "79003347772182151645683941089650774376",
                    "249863810074470457690593679896838544992",
                    "253210672333095990954285753391413575534",
                    "336128189688039022752011594700859913608",
                    "153291091772006957249977471727743164452",
                    "23965398749853137458110744797193196914",
                    "269605763674799612557017037989398087974",
                    "29582490785044912089364730362447932295",
                    "258315015777790198444196601037297632797",
                    "152978136810771868822522218180542514737",
                    "57312958982436694499078779749389722939",
                    "57734602486406847187201186044700211719",
                    "51438989373981932051151411266176576083",
                    "61635492046474294702511841284264092832",
                    "219459798151302566118951099564811896122",
                    "141584221698062118268403157313352537570",
                    "303446371127046191600335366631671521471",
                    "114603074537250694026974277582493472820"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2019-17498-53d4378e"
        }
    ]
}