A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.
Se ha detectado una vulnerabilidad en la máquina de estado del lado del servidor de libssh en versiones anteriores a la 0.7.6 y 0.8.4. Un cliente malicioso podría crear canales sin realizar antes la autenticación, lo que resulta en un acceso no autorizado.
AV:N/AC:L/Au:N/C:P/I:P/A:N
| Access Vector | NETWORK |
|---|---|
| Access Complexity | LOW |
| Authentication | NONE |
| Confidentiality Impact | PARTIAL |
| Integrity Impact | PARTIAL |
| Availability Impact | NONE |
| Source | Type | Description |
|---|---|---|
| [email protected] | Secondary |
en
CWE-592
|
| [email protected] | Primary |
en
CWE-287
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| libssh | libssh | * | <built-in method update of dict object at 0x72a9b0918140> | Application |
| libssh | libssh | * | <built-in method update of dict object at 0x72a99a7f1000> | Application |
| canonical | ubuntu_linux | 14.04 | <built-in method update of dict object at 0x72a9b0918680> | Operating System |
| canonical | ubuntu_linux | 16.04 | <built-in method update of dict object at 0x72a9b0b48840> | Operating System |
| canonical | ubuntu_linux | 18.04 | <built-in method update of dict object at 0x72a9b091bcc0> | Operating System |
| canonical | ubuntu_linux | 18.10 | <built-in method update of dict object at 0x72a9b0918440> | Operating System |
| debian | debian_linux | 8.0 | <built-in method update of dict object at 0x72a9b09191c0> | Operating System |
| debian | debian_linux | 9.0 | <built-in method update of dict object at 0x72a9b091b880> | Operating System |
| redhat | enterprise_linux | 7.0 | <built-in method update of dict object at 0x72a99a7f1900> | Operating System |
| netapp | oncommand_unified_manager | * | <built-in method update of dict object at 0x72a9b091b100> | Application |
| netapp | oncommand_unified_manager | * | <built-in method update of dict object at 0x72a9b0b4abc0> | Application |
| netapp | oncommand_workflow_automation | - | <built-in method update of dict object at 0x72a99a7f2300> | Application |
| netapp | snapcenter | - | <built-in method update of dict object at 0x72a9b0b49c80> | Application |
| netapp | storage_automation_store | - | <built-in method update of dict object at 0x72a9b091b500> | Application |
| oracle | mysql_workbench | * | <built-in method update of dict object at 0x72a99a7f1500> | Application |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* |
| Yes | cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* |
| Yes | cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* |
| Yes | cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:windows:*:* |
| Yes | cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:* |
| Yes | cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:* |