CVE-2019-3860
Published Mar 25, 2019
·Updated
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
Affected Software
6 affected componentsFixes available
debian/libssh2
1.8.0-2.11.8.0-2.1+deb10u11.9.0-21.10.0-31.11.0-2
libssh2 libssh2>=0.3<=1.8.0
Debian Debian Linux=8.0
NetApp ONTAP Select Deploy administration utility
openSUSE Leap=15.0
openSUSE Leap=42.3
Remediation
Patch Available
Event History
Mar 25, 2019
CVE Published
via MITRE·06:30 PM
Data Sourced
via MITRE·06:30 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:29 PM
RemedyDescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the vulnerability ID?
The vulnerability ID is CVE-2019-3860.
2
What is the severity of CVE-2019-3860?
The severity of CVE-2019-3860 is critical, with a severity value of 9.1.
3
What is the affected software for CVE-2019-3860?
The affected software for CVE-2019-3860 includes libssh2 before version 1.8.1, Debian Linux version 8.0, NetApp ONTAP Select Deploy administration utility, and openSUSE Leap versions 15.0 and 42.3.
4
How can the vulnerability CVE-2019-3860 be exploited?
An attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
5
Is there a fix available for CVE-2019-3860?
Yes, the fix for CVE-2019-3860 is to upgrade libssh2 to version 1.8.1 or later.