CVE-2019-14889

10.12.2019, 23:15

A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

OS Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
redhat	CNA	7.1 HIGH	NETWORK	HIGH	LOW	CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 69%

Vendor	Product	Version
libssh	libssh	𝑥 < 0.8.8
libssh	libssh	0.9.0 ≤ 𝑥 < 0.9.3
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	18.04
canonical	ubuntu_linux	19.04
canonical	ubuntu_linux	19.10
opensuse	leap	15.1
debian	debian_linux	8.0
oracle	mysql_workbench	𝑥 ≤ 8.0.19

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libssh

bullseye (security)	0.9.8-0+deb11u1 fixed
bullseye	0.9.8-0+deb11u1 fixed
bookworm	0.10.6-0+deb12u1 fixed
bookworm (security)	0.10.6-0+deb12u1 fixed
sid	0.11.1-1 fixed
trixie	0.11.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

libssh

eoan	Fixed 0.9.0-1ubuntu1.3 released
disco	Fixed 0.8.6-3ubuntu0.3 released
bionic	Fixed 0.8.0~20170825.94fa1e38-1ubuntu0.5 released
xenial	Fixed 0.6.3-4.3ubuntu0.5 released
trusty	dne

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889

https://lists.debian.org/debian-lts-announce/2019/12/msg00020.html

https://lists.debian.org/debian-lts-announce/2023/05/msg00029.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JJWJTXVWLLJTVHBPGWL7472S5FWXYQR/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EV2ONSPDJCTDVORCB4UGRQUZQQ46JHRN/

https://security.gentoo.org/glsa/202003-27

https://usn.ubuntu.com/4219-1/

https://www.libssh.org/security/advisories/CVE-2019-14889.txt

https://www.oracle.com/security-alerts/cpuapr2020.html

http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14889

https://lists.debian.org/debian-lts-announce/2019/12/msg00020.html

https://lists.debian.org/debian-lts-announce/2023/05/msg00029.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JJWJTXVWLLJTVHBPGWL7472S5FWXYQR/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EV2ONSPDJCTDVORCB4UGRQUZQQ46JHRN/

https://security.gentoo.org/glsa/202003-27

https://usn.ubuntu.com/4219-1/

https://www.libssh.org/security/advisories/CVE-2019-14889.txt

https://www.oracle.com/security-alerts/cpuapr2020.html