[FREEBSD:1E7FA41B-F6CA-4FE8-BD46-0E176B42B14F] libssh -- Unsanitized location in scp could lead to unwanted command execution
Severity
High
Affected Packages
1
CVEs
1
The libssh team reports:
In an environment where a user is only allowed to copy files and
not to execute applications, it would be possible to pass a location
which contains commands to be executed in additon.
When the libssh SCP client connects to a server, the scp
command, which includes a user-provided path, is executed
on the server-side. In case the library is used in a way
where users can influence the third parameter of
ssh_scp_new(), it would become possible for an attacker to
inject arbitrary commands, leading to a compromise of the
remote target.
| Package | Affected Version |
|---|---|
 pkg:freebsd/libssh
|
< 0.8.8 |
- ID
- FREEBSD:1E7FA41B-F6CA-4FE8-BD46-0E176B42B14F
- Severity
- high
- Severity from
- CVE-2019-14889
- URL
- http://vuxml.freebsd.org/freebsd/1e7fa41b-f6ca-4fe8-bd46-0e176b42b14f.html
- Published
-
2019-11-14T00:00:00
(4 years ago) - Modified
-
2020-02-02T00:00:00
(4 years ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
-
-
ALPINE:CVE-2019-14889
-
ALSA-2020:4545
-
ELSA-2020-4545
-
FEDORA-2019-46b6bd2459
-
FEDORA-2019-8b0ad69829
-
GLSA-202003-27
-
openSUSE-SU-2019:2689-1
-
openSUSE-SU-2020:0102-1
-
RHSA-2020:4545
-
SUSE-SU-2019:3267-1
-
SUSE-SU-2019:3293-1
-
SUSE-SU-2019:3307-1
-
SUSE-SU-2019:3308-1
-
SUSE-SU-2020:0129-1
-
SUSE-SU-2020:0130-1
-
SUSE-SU-2020:0131-1
-
SUSE-SU-2020:0139-1
-
SUSE-SU-2024:0525-1
-
SUSE-SU-2024:0539-1
-
USN-4219-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| FreeBSD VuXML |
|
||
| FreeBSD VuXML |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:freebsd/libssh |
libssh
|
< 0.8.8 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |