<p>Upgrade <code>Amazon-Linux:2</code> <code>libssh2</code> to version 0:1.4.3-12.amzn2.2 or higher.<br>This issue was patched in <code>ALAS2-2019-1199</code>.</p>

Out-of-bounds Write Affecting libssh2 package, versions <0:1.4.3-12.amzn2.2

Threat Intelligence

0.33% (72^nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-AMZN2-LIBSSH2-1669994
published 27 Sep 2021
disclosed 25 Mar 2019

Report a new vulnerability Found a mistake?

Introduced: 25 Mar 2019

CVE-2019-3857 Open this link in a new tab CWE-787 Open this link in a new tab CWE-190 Open this link in a new tab

How to fix?

Upgrade Amazon-Linux:2 libssh2 to version 0:1.4.3-12.amzn2.2 or higher.
This issue was patched in ALAS2-2019-1199.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

Required

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High