[FREEBSD:1E7FA41B-F6CA-4FE8-BD46-0E176B42B14F] libssh -- Unsanitized location in scp could lead to unwanted command execution
Severity
High
Affected Packages
1
CVEs
1
The libssh team reports:
In an environment where a user is only allowed to copy files and
not to execute applications, it would be possible to pass a location
which contains commands to be executed in additon.
When the libssh SCP client connects to a server, the scp
command, which includes a user-provided path, is executed
on the server-side. In case the library is used in a way
where users can influence the third parameter of
ssh_scp_new(), it would become possible for an attacker to
inject arbitrary commands, leading to a compromise of the
remote target.
Package | Affected Version |
---|---|
pkg:freebsd/libssh | < 0.8.8 |
- ID
- FREEBSD:1E7FA41B-F6CA-4FE8-BD46-0E176B42B14F
- Severity
- high
- Severity from
- CVE-2019-14889
- URL
- http://vuxml.freebsd.org/freebsd/1e7fa41b-f6ca-4fe8-bd46-0e176b42b14f.html
- Published
-
2019-11-14T00:00:00
(4 years ago) - Modified
-
2020-02-02T00:00:00
(4 years ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
-
- ALPINE:CVE-2019-14889
- ALSA-2020:4545
- ELSA-2020-4545
- FEDORA-2019-46b6bd2459
- FEDORA-2019-8b0ad69829
- GLSA-202003-27
- openSUSE-SU-2019:2689-1
- openSUSE-SU-2020:0102-1
- RHSA-2020:4545
- SUSE-SU-2019:3267-1
- SUSE-SU-2019:3293-1
- SUSE-SU-2019:3307-1
- SUSE-SU-2019:3308-1
- SUSE-SU-2020:0129-1
- SUSE-SU-2020:0130-1
- SUSE-SU-2020:0131-1
- SUSE-SU-2020:0139-1
- SUSE-SU-2024:0525-1
- SUSE-SU-2024:0539-1
- USN-4219-1
Source | # ID | Name | URL |
---|---|---|---|
FreeBSD VuXML | https://www.libssh.org/security/advisories/CVE-2019-14889.txt | ||
FreeBSD VuXML | https://nvd.nist.gov/vuln/detail/CVE-2019-14889 |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:freebsd/libssh | libssh | < 0.8.8 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |