Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Required

Privileges Required

None

Attack Vector

Network

0

CVE-2019-3855

Disclosure Date: March 21, 2019 •

CVE-2019-3855 CVSS v3 Base Score: 8.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.8 High

Impact Score:

5.9

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

References

Canonical

CVE-2019-3855 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855)

BID-107485 (http://www.securityfocus.com/bid/107485)

Advisory

[oss-security] 20190318 [SECURITY ADVISORIES] libssh2 (http://www.openwall.com/lists/oss-security/2019/03/18/3)

20190319 [slackware-security] libssh2 (SSA:2019-077-01) (https://seclists.org/bugtraq/2019/Mar/25)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3855

FEDORA-2019-f31c14682f (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO)

https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767

[debian-lts-announce] 20190326 [SECURITY] [DLA 1730-1] libssh2 security update (https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html)

https://security.netapp.com/advisory/ntap-20190327-0005

https://access.redhat.com/errata/RHSA-2019:0679

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html

FEDORA-2019-3348cb4934 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O)

DSA-4431 (https://www.debian.org/security/2019/dsa-4431)

20190415 [SECURITY] [DSA 4431-1] libssh2 security update (https://seclists.org/bugtraq/2019/Apr/25)

https://access.redhat.com/errata/RHSA-2019:1175

https://access.redhat.com/errata/RHSA-2019:1652

https://access.redhat.com/errata/RHSA-2019:1791

https://access.redhat.com/errata/RHSA-2019:1943

FEDORA-2019-9d85600fc7 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6LUNHPW64IGCASZ4JQ2J5KDXNZN53DWW)

FEDORA-2019-5885663621 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7IF3LNHOA75O4WZWIHJLIRMA5LJUED3)

https://access.redhat.com/errata/RHSA-2019:2399

https://support.apple.com/kb/HT210609

20190927 APPLE-SA-2019-9-26-7 Xcode 11.0 (https://seclists.org/bugtraq/2019/Sep/49)

20190927 APPLE-SA-2019-9-26-7 Xcode 11.0 (http://seclists.org/fulldisclosure/2019/Sep/42)

Miscellaneous

https://www.libssh2.org/CVE-2019-3855.html

http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Rapid7

Technical Analysis