CVE-2019-3860

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

References

Affected packages

Git / github.com/libssh2/libssh2

Affected ranges

Type

GIT

Repo

https://github.com/libssh2/libssh2

Events

Introduced

3f24fb005e78fd61fa37e797b17e733bd32b452f

Last affected

30e9c1347e3b8baa2951db612f05e6d87fc8e2f2

Database specific

{
    "versions": [
        {
            "introduced": "0.3"
        },
        {
            "last_affected": "1.8.0"
        }
    ]
}

Affected versions

RELEASE.*

RELEASE.0.10

RELEASE.0.11

RELEASE.0.12

RELEASE.0.13

RELEASE.0.14

RELEASE.0.15

RELEASE.0.16

RELEASE.0.17

RELEASE.0.18

RELEASE.0.3

RELEASE.0.5

RELEASE.0.6

RELEASE.0.7

RELEASE.0.8

RELEASE.1.0

RELEASE.1.1

beforenb-0.*

beforenb-0.14

beforenb2-0.*

beforenb2-0.14

libssh2-1.*

libssh2-1.2

libssh2-1.2.1

libssh2-1.2.2

libssh2-1.2.3

libssh2-1.2.4

libssh2-1.2.5

libssh2-1.2.6

libssh2-1.2.7

libssh2-1.2.8

libssh2-1.2.9

libssh2-1.3.0

libssh2-1.4.0

libssh2-1.4.1

libssh2-1.4.2

libssh2-1.4.3

libssh2-1.5.0

libssh2-1.6.0

libssh2-1.7.0

libssh2-1.8.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-3860.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "42.3"
            }
        ]
    }
]