Vulnerability CVE-2019-14889: Information

Description

A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-14889
Published: Dec. 11, 2019
Modified: Nov. 7, 2023
Error type identifier: CWE-78

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
libsshsisyphus0.9.3-alt10.10.6-alt1ALT-PU-2019-3261-1242717Fixed
libsshp100.9.3-alt10.10.6-alt1ALT-PU-2019-3261-1242717Fixed
libsshp90.9.3-alt10.9.6-alt1ALT-PU-2019-3290-1242718Fixed
libsshp80.8.8-alt10.8.8-alt1ALT-PU-2020-1469-1247316Fixed
libsshc10f10.9.3-alt10.10.6-alt1ALT-PU-2019-3261-1242717Fixed
libsshc9f20.9.3-alt10.10.6-alt1ALT-PU-2019-3290-1242718Fixed
mysql-workbench-communitysisyphus8.0.20-alt18.0.33-alt2.2ALT-PU-2020-2094-1252776Fixed
mysql-workbench-communityp108.0.20-alt18.0.25-alt2ALT-PU-2020-2094-1252776Fixed
mysql-workbench-communityp98.0.20-alt18.0.25-alt2ALT-PU-2020-2183-1252777Fixed
mysql-workbench-communityc10f18.0.20-alt18.0.25-alt2ALT-PU-2020-2094-1252776Fixed
mysql-workbench-communityc9f28.0.20-alt18.0.25-alt3ALT-PU-2020-2183-1252777Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889
  • Issue Tracking
  • Patch
  • Third Party Advisory
USN-4219-1
  • Third Party Advisory
https://www.libssh.org/security/advisories/CVE-2019-14889.txt
  • Vendor Advisory
openSUSE-SU-2019:2689
  • Mailing List
  • Third Party Advisory
[debian-lts-announce] 20191217 [SECURITY] [DLA 2038-1] libssh security update
  • Mailing List
  • Third Party Advisory
openSUSE-SU-2020:0102
  • Mailing List
  • Third Party Advisory
GLSA-202003-27
  • Third Party Advisory
N/A
  • Third Party Advisory
[debian-lts-announce] 20230529 [SECURITY] [DLA 3437-1] libssh security update
    FEDORA-2019-8b0ad69829
      FEDORA-2019-46b6bd2459

          1. Configuration 1

            cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*
            End excliding
            0.8.8
            cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*
            Start including
            0.9.0
            End excliding
            0.9.3

            Configuration 2

            cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
            cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
            cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
            cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

            Configuration 3

            cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

            Configuration 4

            cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
            cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

            Configuration 5

            cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

            Configuration 6

            cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*
            End including
            8.0.19
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.5.0
        Back to top