Published: 10/12/2019 Updated: 07/11/2023

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 828

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

A flaw was found with the libssh API function ssh_scp_new() in versions prior to 0.9.3 and prior to 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an malicious user to inject arbitrary commands, leading to a compromise of the remote target.

Vulnerable Product	Search on Vulmon	Subscribe to Product
libssh libssh
canonical ubuntu linux 16.04
canonical ubuntu linux 18.04
canonical ubuntu linux 19.04
canonical ubuntu linux 19.10
opensuse leap 15.1
fedoraproject fedora 30
fedoraproject fedora 31
debian debian linux 8.0
oracle mysql workbench

Debian Bug report logs - #946548 libssh: CVE-2019-14889 Package: src:libssh; Maintainer for src:libssh is Laurent Bigonville <bigon@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 10 Dec 2019 18:30:02 UTC Severity: important Tags: security, upstream Found in versions libssh/090-1, lib ...

libssh could be made to run programs under certain conditions ...

Synopsis Moderate: libssh security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for libssh is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Syst ...

Synopsis Moderate: Release of OpenShift Serverless 1110 Type/Severity Security Advisory: Moderate Topic Release of OpenShift Serverless 1110 Description Red Hat OpenShift Serverless 1110 is a generally available release of theOpenShift Serverless Operator This version of the OpenShif ...

Synopsis Moderate: OpenShift Container Platform 46 compliance-operator security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for compliance-content-container, ose-compliance-openscap-container, ose-compliance-operator-container, and ose-compliance-operator-metadata-container ...

Synopsis Moderate: Release of OpenShift Serverless 1120 Type/Severity Security Advisory: Moderate Topic Release of OpenShift Serverless 1120Red Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerability Scoring System (CVSS) base score,which gives a detaile ...

Synopsis Moderate: Red Hat Quay v333 bug fix and security update Type/Severity Security Advisory: Moderate Topic Red Hat Quay v333 is now available with bug fixes and security updatesRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring S ...

Synopsis Moderate: OpenShift Container Platform 4103 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4103 is now available withupdates to packages and images that fix several bugs and add enhancementsRed Hat Product Security has rated this update as having a security impact of ...

Synopsis Moderate: Red Hat OpenShift Container Storage 460 security, bug fix, enhancement update Type/Severity Security Advisory: Moderate Topic Updated images are now available for Red Hat OpenShift Container Storage 460 on Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as ha ...

Synopsis Important: Service Telemetry Framework 14 security update Type/Severity Security Advisory: Important Topic An update is now available for Service Telemetry Framework 14 for RHEL 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which g ...

CVELK CVELK is a completely free and open-source tool you can use to ingest open-source and even commercial vulnerability feeds into a single location, the ELK stack Currently there is a hosted version that is free to use for personal, and commercial use, but below there are instructions on how to set this up locally, so you can ingest commercial feeds without breach

CWE-78 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889 https://usn.ubuntu.com/4219-1/https://www.libssh.org/security/advisories/CVE-2019-14889.txt http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html https://lists.debian.org/debian-lts-announce/2019/12/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html https://security.gentoo.org/glsa/202003-27 https://www.oracle.com/security-alerts/cpuapr2020.html https://lists.debian.org/debian-lts-announce/2023/05/msg00029.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JJWJTXVWLLJTVHBPGWL7472S5FWXYQR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EV2ONSPDJCTDVORCB4UGRQUZQQ46JHRN/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946548 https://usn.ubuntu.com/4219-1/https://nvd.nist.gov

Get Started

CVE-2019-14889

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect