CVSS: 5.9EPSS: 67%CPEs: 79EXPL: 3CVE-2023-48795 – ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
https://notcve.org/view.php?id=CVE-2023-48795
18 Dec 2023 — The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phas... • https://packetstorm.news/files/id/176280 • CWE-222: Truncation of Security-relevant Information CWE-354: Improper Validation of Integrity Check Value •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3603 – Processing sftp server read may cause null dereference
https://notcve.org/view.php?id=CVE-2023-3603
21 Jul 2023 — A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users. Given this code is not in any released versions, no security rel... • https://access.redhat.com/security/cve/CVE-2023-3603 • CWE-476: NULL Pointer Dereference •
CVSS: 9.3EPSS: 0%CPEs: 11EXPL: 0CVE-2019-14889 – libssh: unsanitized location in scp could lead to unwanted command execution
https://notcve.org/view.php?id=CVE-2019-14889
10 Dec 2019 — A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target. Se detectó un fallo con la función ssh_scp_new() de la AP... • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 1%CPEs: 8EXPL: 0CVE-2015-3146 – Ubuntu Security Notice USN-2912-1
https://notcve.org/view.php?id=CVE-2015-3146
25 Feb 2016 — The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in package_cb.c in libssh before 0.6.5 do not properly validate state, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted SSH packet. Los manejadores de paquete (1) SSH_MSG_NEWKEYS y (2) SSH_MSG_KEXDH_REPLY en package_cb.c en libssh en versiones anteriores a 0.6.5 no valida correctamente el estado, lo que permite a atacantes remotos provocar una denegación de servicio (referencia a ... • http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161802.html •
CVSS: 5.9EPSS: 2%CPEs: 9EXPL: 0CVE-2016-0739 – libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length
https://notcve.org/view.php?id=CVE-2016-0739
24 Feb 2016 — libssh before 0.7.3 improperly truncates ephemeral secrets generated for the (1) diffie-hellman-group1 and (2) diffie-hellman-group14 key exchange methods to 128 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug." libssh en versiones anteriores a 0.7.3 trunca de manera incorrecta secretos efímeros generados para los métodos de intercambio de clave (1) diffie-hellman-group1 y (2) diffie-hellman-group14 a 1... • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178058.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-704: Incorrect Type Conversion or Cast •
CVSS: 7.5EPSS: 2%CPEs: 20EXPL: 0CVE-2014-8132 – Mandriva Linux Security Advisory 2015-020
https://notcve.org/view.php?id=CVE-2014-8132
29 Dec 2014 — Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet. Vulnerabilidad de doble liberación en la función ssh_packet_kexinit en kex.c en libssh 0.5.x y 0.6.x anterior a 0.6.4 permite a atacantes remotos causar una denegación de servicio a través del paquete modificado kexinit. When using libssh before 0.6.3, a libssh-based server, when accepting a new connection, forks and t... • http://advisories.mageia.org/MGASA-2015-0014.html •
CVSS: 4.7EPSS: 0%CPEs: 12EXPL: 0CVE-2014-0017 – Gentoo Linux Security Advisory 201408-03
https://notcve.org/view.php?id=CVE-2014-0017
12 Mar 2014 — The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision. La función RAND_bytes en libssh anterior a 0.6.3, cuando la creación de procesos (“forking”) está habilitada, no restablece debidamente el estado del generador de números pseudo-aleatorios OpenSSL (PRNG... • http://lists.opensuse.org/opensuse-updates/2014-03/msg00036.html • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2013-0176
https://notcve.org/view.php?id=CVE-2013-0176
05 Feb 2013 — The publickey_from_privatekey function in libssh before 0.5.4, when no algorithm is matched during negotiations, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a "Client: Diffie-Hellman Key Exchange Init" packet. La función publickey_from_privatekey en libssh anterior a v0.5.4, cuando ningun algoritmo coincide durante la negociacion, permite a atacantes remotos causar una denegación de servicio (referencia NULL y caída de la aplicación) mediante un paquete "Cli... • http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098065.html • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 2%CPEs: 6EXPL: 0CVE-2012-6063 – Gentoo Linux Security Advisory 201402-26
https://notcve.org/view.php?id=CVE-2012-6063
30 Nov 2012 — Double free vulnerability in the sftp_mkdir function in sftp.c in libssh before 0.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors, a different vector than CVE-2012-4559. Vulnerabilidad de doble liberación en la función sftp_mkdir en sftp.c en libssh antes de v0.5.3 permite a atacantes remotos provocar una denegación de servicio (caída) y posiblemente ejecutar código arbitrario a través de vectores no especificados, un vector difere... • http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=4d8420f3282ed07fc99fc5e930c17df27ef1e9b2 • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 3%CPEs: 6EXPL: 0CVE-2012-4559 – Gentoo Linux Security Advisory 201402-26
https://notcve.org/view.php?id=CVE-2012-4559
30 Nov 2012 — Multiple double free vulnerabilities in the (1) agent_sign_data function in agent.c, (2) channel_request function in channels.c, (3) ssh_userauth_pubkey function in auth.c, (4) sftp_parse_attr_3 function in sftp.c, and (5) try_publickey_from_file function in keyfiles.c in libssh before 0.5.3 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. Múltiples vulnerabilidades de doble liberación en las funciones (1) agent_sign_data en agent.c, (2... • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093313.html • CWE-399: Resource Management Errors •