CVE-2019-3858
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-3858
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-3858.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-3858
- Downstream
- Related
- Published
- 2019-03-21T21:29:00Z
- Modified
- 2025-10-15T04:35:32Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
- References
-
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html
- http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html
- http://www.openwall.com/lists/oss-security/2019/03/18/3
- http://www.securityfocus.com/bid/107485
- https://access.redhat.com/errata/RHSA-2019:2136
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3858
- https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html
- https://seclists.org/bugtraq/2019/Mar/25
- https://security.netapp.com/advisory/ntap-20190327-0005/
- https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767
- https://www.debian.org/security/2019/dsa-4431
- https://www.libssh2.org/CVE-2019-3858.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/
- https://seclists.org/bugtraq/2019/Apr/25
Affected packages
Git / github.com/libssh2/libssh2
Affected ranges
- Type
- GIT
- Repo
- https://github.com/libssh2/libssh2
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"target": {
"function": "sftp_open",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 4408.0,
"function_hash": "130513997029550922359825906680064252000"
},
"deprecated": false,
"id": "CVE-2019-3858-0ca26948",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_readdir",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 3539.0,
"function_hash": "156870125600685460170868214097255513227"
},
"deprecated": false,
"id": "CVE-2019-3858-0e392e92",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_rmdir",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 1909.0,
"function_hash": "4909406955743338623248799753191051693"
},
"deprecated": false,
"id": "CVE-2019-3858-21c8b8e3",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "src/transport.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"threshold": 0.9,
"line_hashes": [
"103640067018174600133330910359064061656",
"251614726574061676586289990518126361186",
"160074926891258545270335781273850368025",
"175967038859953433788643658712700991614",
"252300636862946662459037524291845680275",
"205740744867692225602624986094250651221",
"207624455288639164266962776785126235995",
"163971524350525289386178785941670039263",
"276536363861099461625239258560197416473",
"97475082405096749075769309233547564320",
"94068023891273845685731676384258751860",
"37043339973854571182598270819587221390",
"117693848582867079457949872677006588348"
]
},
"deprecated": false,
"id": "CVE-2019-3858-2974ffb5",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_mkdir",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 2156.0,
"function_hash": "316978795291479301498767208600174571070"
},
"deprecated": false,
"id": "CVE-2019-3858-2be55118",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_init",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 4523.0,
"function_hash": "247608176950622540586523868616884867221"
},
"deprecated": false,
"id": "CVE-2019-3858-3ad1de42",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "src/packet.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"threshold": 0.9,
"line_hashes": [
"199396428921383754567904753674561677405",
"31270133804357931177586560687876822135",
"323494851822450658344732192105776836261",
"142904498334225816359222279156429574219",
"169213715357542628219828394899215327742",
"246723504391855212743667096651081259770",
"219723528149573161056324137910968385847",
"99693739572536478413343126564542209099",
"16230607100086614390618655014737886935",
"28864690644433868393505781328262715087",
"283415771086431288375148369345601439353",
"214993028641586205385716756194042343297",
"30674174382679724740545357973292301528",
"291367533649477489803520153245601884780",
"13527362274155811114909863399079036034",
"337874180370048735146254978566702197608",
"73397564045854670126237563937225855875",
"124804228161260961836001165961206847102",
"320614444515314617417442576224728719669",
"133936557929027914058817960718498019923",
"262097959832462143885816594370464631676",
"203691769679753352705204953988371625577",
"243194598704361328605250134210260591689",
"326831759020577706739183718505705905050",
"71871589318446607018536788288997050415",
"253954920303967547017471681273447093624",
"170568547844691926401536349425002763636",
"187090474249837812343676850997532421230"
]
},
"deprecated": false,
"id": "CVE-2019-3858-425b2318",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_packet_read",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 2605.0,
"function_hash": "29007860238940795080508963162592432190"
},
"deprecated": false,
"id": "CVE-2019-3858-46137bf3",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_stat",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 2584.0,
"function_hash": "254966901820516394836965153946132231984"
},
"deprecated": false,
"id": "CVE-2019-3858-4ecb9954",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_rename",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 2773.0,
"function_hash": "249582709169939548119986391714566587458"
},
"deprecated": false,
"id": "CVE-2019-3858-57e9cb40",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_packet_require",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 755.0,
"function_hash": "223967078130286108809695263676424007701"
},
"deprecated": false,
"id": "CVE-2019-3858-59a9cc8e",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_statvfs",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 3022.0,
"function_hash": "193066954364750455190143169852470119048"
},
"deprecated": false,
"id": "CVE-2019-3858-640fa543",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_fstat",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 2297.0,
"function_hash": "87552939035090404817081513900749527780"
},
"deprecated": false,
"id": "CVE-2019-3858-6a03a4b9",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_fstatvfs",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 3007.0,
"function_hash": "154740709970448259212685139117790334031"
},
"deprecated": false,
"id": "CVE-2019-3858-783199a0",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_fsync",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 1911.0,
"function_hash": "70978722542747169381628534237088897245"
},
"deprecated": false,
"id": "CVE-2019-3858-7da31b87",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "comp_method_zlib_decomp",
"file": "src/comp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 1654.0,
"function_hash": "208535582750504528373704712557279675537"
},
"deprecated": false,
"id": "CVE-2019-3858-9673ff73",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_unlink",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 1920.0,
"function_hash": "238207622479120586066667974561029709217"
},
"deprecated": false,
"id": "CVE-2019-3858-97f35798",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_read",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 4981.0,
"function_hash": "124395554584902358064113245536469288122"
},
"deprecated": false,
"id": "CVE-2019-3858-9fe2ce69",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "_libssh2_packet_add",
"file": "src/packet.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 11818.0,
"function_hash": "139263013769379301112963821642518252508"
},
"deprecated": false,
"id": "CVE-2019-3858-a66e6b6f",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_close_handle",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 2400.0,
"function_hash": "66510952666634007487595159615921400704"
},
"deprecated": false,
"id": "CVE-2019-3858-a730579c",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "_libssh2_transport_read",
"file": "src/transport.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 4342.0,
"function_hash": "86799271662232441093211086418938079874"
},
"deprecated": false,
"id": "CVE-2019-3858-acd172be",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_write",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 2761.0,
"function_hash": "140906860977583506650338755207525446836"
},
"deprecated": false,
"id": "CVE-2019-3858-b1dd8ea0",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "src/comp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"threshold": 0.9,
"line_hashes": [
"138738530997871058217324760481727426837",
"107696138087189122395259564886294388409",
"112290794496393128758852903264868162876",
"52809053727959276374355721959295612802",
"12770254551893424450503600189042573183",
"45617965563845038229481539466585268405",
"215001412866021085991442586565829484801",
"235590017375331229929012890388037113137"
]
},
"deprecated": false,
"id": "CVE-2019-3858-b7f606b3",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"threshold": 0.9,
"line_hashes": [
"65971095931925607474165134484707703870",
"222723814939289348153355218146051798198",
"113480671933772311259999772610030569336",
"19695196832547598462457606834888635615",
"127049609747369336629182122475223020099",
"12470525589096534373276772728943659418",
"32155044467733481342404278069036594458",
"137779044843821191784305731216222529813",
"35747479322450766103434935566647633406",
"264759112087557798261983845359922580641",
"124088991803049945995184704852618995659",
"69805208474528674640255646942333298757",
"39601999874935426976778124523015805251",
"57580518838138542592417823173772120049",
"186690662476264171509820097736854606281",
"338722790218394493408045181185693330324",
"31318634649267370158387018395801710174",
"95863922084561089809966480355738672597",
"58562536153111486358663849161738575391",
"257586373076696049531271256992484549527",
"31318634649267370158387018395801710174",
"277941692672437854805067903895533117024",
"930195365551914465066024542022810991",
"61520882827881812082931468515474380345",
"124281258548907136504826399210771877949",
"155501579177461536138581566675440960402",
"186607624919055905161998020334857839241",
"47681059168272189731028481248166910692",
"215514296480026391178757771523218541956",
"88090310640409556215378225968635983611",
"282858968097619018335710218937956472745",
"206723659974232298975308156384218492425",
"62643511169649774551098817898864425199",
"90588068352132509662273725952670578185",
"5949032184103962164393255491741662758",
"267358470374560428876951903194556027302",
"153569500645276666280424855998876298522",
"308768677104799613741566934932725626192",
"155730129718991520697083261850045961201",
"91042509781940371706750289238285346291",
"27799944137411759435370625571730748854",
"256161885760382376840634742225089632239",
"262936591145080649541521842326296296120",
"168851920835715716094680876322044398117",
"275637493478533621538051109460065311802",
"230638497528559349553204731718158904924",
"113678694170965915210742920031675088874",
"40465521627419482603241296577906043282",
"63974396562076364004410605472592576352",
"61451944515453976870439667744169564234",
"180215300447983459927482916705205222939",
"9266068043088845311367125596569259713",
"71419377436793728620258786506371560031",
"145210085632340086396633827167546162936",
"47807591203379758147825292113223787016",
"111998017294301633208648524004364157841",
"258785824145221317512203237360247127886",
"211961257851835882353516745411066373895",
"114392684302371829813918826047439646487",
"63516389893263173839425079822194386402",
"44995087142340885320955708510142028317",
"315785706471591786547760636496876835558",
"281287673267630434740913578343761857834",
"82055086117350736593464579596242579390",
"240697114719864734704130356037410003492",
"25980792220443664312812863780509491933",
"309375271014376797390582696640938854802",
"267194618946616474740169495452809792277",
"278271064226926070568271101273169969544",
"8355910987929864717976471771471060091",
"327462548944843076303582838559055658150",
"294256946859065932751589814290439689937",
"185313271949990824169815147014670785682",
"53475186571127548974763691221223138970",
"337563969164289193366204957787591802359",
"92644892202845676742578405296835828825",
"86087153852978759774299934062152989962",
"112964276935553004836376032254016672688",
"289579509164681042336399307119694177534",
"298033822111783483321705680237256265678",
"209162555698799178220780671810814560572",
"13689337585668230087589507524772507124",
"75362359045000927892893310693532857619",
"78804669067230340826741349486387747146",
"261623767361555437110036042798504602926",
"103134360100103820481559057987273522738",
"50384679293043126667677926233974939327",
"229668762245312120457285614608594240879",
"165754131809779153140883632498189461641",
"193034515654885850997808592801924841630",
"335591587411946502325695806052608880345",
"52281048307288099264109015654793140510",
"44205016054515026345581986368518233972",
"39841262345021971125844634990927640977",
"232718353402101803513266714102983644072",
"168798127306700442159352040865028449896",
"128239354073677256529295492671255772437",
"252565854097638444761537694175149212092",
"72395714320895708330889239108283513575",
"122302543619529130893031948749102209273",
"95841681264838622280224943970048938054",
"324685089401091111393322302699745158459",
"178707709333783344491235177861913131455",
"295983542749776270534596316135177109219",
"29854098181896915129826445024171510731",
"337549952105635249669764912428209516193",
"55266472864524757707705108776494277414",
"79356641381436487603846310142759879643",
"34792662147523098743641077256885522470",
"93461199567666421290296820833655260890",
"298621117493045171771395055030238789388",
"69848770615224363219844122459323722609",
"35921323436327693860879660953410172195",
"82564147952529436183823380744155964769",
"11858037141856020586467799175878458608",
"335009752433316231962913636175368933142",
"239365244743271890997198862873294469238",
"330219164155508602015846383834294347152",
"29586653335739588545945019563268098986",
"48013272687762206755489564924592530729",
"284543039639426751679002065098106022213",
"200438280933182403304629807783836713122",
"257202731296099122138381793481315861782",
"241271294108767055642727677604659391630",
"267885774582818383503282869863045070932",
"34441547194473610201163048245293020542",
"229448937312690753453483851599264381932",
"100195684414310996402914543955609069823",
"8605136978013357756025765119857267745",
"249435438705802222905355549201951325819",
"181152445570287677124124990101939343845",
"335792651507686945617272029432643296012",
"32802119658179107979174637314732177078",
"312926963816273394802981816116845581862",
"103030351090938202301754232920473257916",
"324790573564236878299053896704383402611",
"333527735370601391781275787584413733631",
"320384936982751123847438764316116953848",
"251951326985529864956843125396668566696",
"68330753670659192255694925297889863963",
"61786365292793417296096874403737634813",
"286470647739747073742467474246217568694",
"142216805141072893913524675812838378923",
"48988159106810550940032179867644065778",
"290440625174490493531749932745669754405",
"224616978884452045617453603718386650868",
"55544229816361082848277849865020565203",
"82693726025499378285847793081683433160",
"288609726654228990926199491382998811482",
"268875361056801277377869759652344798556",
"333527735370601391781275787584413733631",
"104860605808974076465809389005223186298",
"51538934081336964157461772117271611281",
"51017454342430543419503018118769891394",
"26318238546097311212082765259642192583",
"154843417833589417577055145332299757133",
"253211409990975367809086894924569379890",
"79625918431933636717345291440747130492",
"183572491089278745947131740599860704786",
"135309236174200592466520246653642658054",
"105361015126032660211071059373026847209",
"87578362019669109801966768192408966505",
"227543258507976190481950008223679214826",
"328586714866202099419917549760057778940",
"79625918431933636717345291440747130492",
"25302490782050586745203522004483747970",
"24903589728618869564855089009837533522",
"289921611383971045717345298168855529303",
"283390309832871614962769806139433723827",
"54560776545286361784950090303914848633",
"302252221570731585287640313191875333916",
"79625918431933636717345291440747130492",
"297215847698455143965816521190004531801",
"282737104716336697088580419529099096210",
"254565416488565427064818775725351866745",
"231065676751345376281102256010984817035",
"68984405426815457249298147373349203119",
"291365839665883361548384776738004842727",
"238651297682930144651966495022134699791",
"174800485988229659875224033552284296567",
"198234272447601820668374162789938227624",
"322799026089645498443822212709176295369",
"710674258222870202709518609147075289",
"164814568105973671659204681195078440816",
"125524353926834576058499224351393324674",
"234807091231144583136364698532677977768",
"103068025833541066735574443881785806140",
"253238820049730472494259852459688219340",
"266528477362298232042453899676309248769",
"292337139153980869680215941573780055061",
"296898326922424954932700838967752867397",
"32802119658179107979174637314732177078",
"298708163951692866016080190435144709292",
"132673035362168830908785363969255425940",
"248089546207792900547541375589979958770",
"34792662147523098743641077256885522470",
"255237575265875068672146120583307373998",
"189648308884693257036150127320802169210",
"199788790621018672579779240874188173145",
"61966220155080096774444514593258776927",
"267583222670584456445189804748637348059"
]
},
"deprecated": false,
"id": "CVE-2019-3858-c37c10bd",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_packet_add",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 1579.0,
"function_hash": "320106694470257626261390603374947973232"
},
"deprecated": false,
"id": "CVE-2019-3858-cf460c89",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_bin2attr",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 732.0,
"function_hash": "172731995241483846760821216506079248173"
},
"deprecated": false,
"id": "CVE-2019-3858-d33f0c92",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_packet_requirev",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 970.0,
"function_hash": "301312821367067488469848435822307916452"
},
"deprecated": false,
"id": "CVE-2019-3858-dfa5cee2",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "sftp_symlink",
"file": "src/sftp.c"
},
"source": "https://github.com/libssh2/libssh2/commit/f15b1e297f72882214988101ccdc5e6ad30d7e6e",
"digest": {
"length": 3195.0,
"function_hash": "221544842930002450920983577552015030504"
},
"deprecated": false,
"id": "CVE-2019-3858-f3db2fbf",
"signature_type": "Function"
}
]