{"containers": {"cna": {"affected": [{"product": "libssh2", "vendor": "The libssh2 Project", "versions": [{"status": "affected", "version": "1.8.1"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "CWE-190", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "description": "CWE-787", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-10-16T17:41:00.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863"}, {"tags": ["x_refsource_MISC"], "url": "https://www.libssh2.org/CVE-2019-3863.html"}, {"name": "[debian-lts-announce] 20190326 [SECURITY] [DLA 1730-1] libssh2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190327-0005/"}, {"name": "RHSA-2019:0679", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:0679"}, {"name": "openSUSE-SU-2019:1075", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html"}, {"name": "openSUSE-SU-2019:1109", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html"}, {"name": "FEDORA-2019-3348cb4934", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/"}, {"name": "DSA-4431", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4431"}, {"name": "20190415 [SECURITY] [DSA 4431-1] libssh2 security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Apr/25"}, {"name": "RHSA-2019:1175", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1175"}, {"name": "RHSA-2019:1652", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1652"}, {"name": "RHSA-2019:1791", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1791"}, {"name": "RHSA-2019:1943", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1943"}, {"name": "RHSA-2019:2399", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2399"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-3863", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "libssh2", "version": {"version_data": [{"version_value": "1.8.1"}]}}]}, "vendor_name": "The libssh2 Project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error."}]}, "impact": {"cvss": [[{"vectorString": "7.5/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-190"}]}, {"description": [{"lang": "eng", "value": "CWE-787"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863"}, {"name": "https://www.libssh2.org/CVE-2019-3863.html", "refsource": "MISC", "url": "https://www.libssh2.org/CVE-2019-3863.html"}, {"name": "[debian-lts-announce] 20190326 [SECURITY] [DLA 1730-1] libssh2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html"}, {"name": "https://security.netapp.com/advisory/ntap-20190327-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190327-0005/"}, {"name": "RHSA-2019:0679", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:0679"}, {"name": "openSUSE-SU-2019:1075", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html"}, {"name": "openSUSE-SU-2019:1109", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html"}, {"name": "FEDORA-2019-3348cb4934", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/"}, {"name": "DSA-4431", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4431"}, {"name": "20190415 [SECURITY] [DSA 4431-1] libssh2 security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Apr/25"}, {"name": "RHSA-2019:1175", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1175"}, {"name": "RHSA-2019:1652", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1652"}, {"name": "RHSA-2019:1791", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1791"}, {"name": "RHSA-2019:1943", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1943"}, {"name": "RHSA-2019:2399", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2399"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:19:18.614Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.libssh2.org/CVE-2019-3863.html"}, {"name": "[debian-lts-announce] 20190326 [SECURITY] [DLA 1730-1] libssh2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20190327-0005/"}, {"name": "RHSA-2019:0679", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:0679"}, {"name": "openSUSE-SU-2019:1075", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html"}, {"name": "openSUSE-SU-2019:1109", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html"}, {"name": "FEDORA-2019-3348cb4934", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/"}, {"name": "DSA-4431", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4431"}, {"name": "20190415 [SECURITY] [DSA 4431-1] libssh2 security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Apr/25"}, {"name": "RHSA-2019:1175", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1175"}, {"name": "RHSA-2019:1652", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1652"}, {"name": "RHSA-2019:1791", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1791"}, {"name": "RHSA-2019:1943", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1943"}, {"name": "RHSA-2019:2399", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2399"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T13:20:45.609039Z", "id": "CVE-2019-3863", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T19:48:19.703Z"}}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-3863", "datePublished": "2019-03-25T17:52:10.000Z", "dateReserved": "2019-01-03T00:00:00.000Z", "dateUpdated": "2025-04-23T19:48:19.703Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://www.libssh2.org/CVE-2019-3863.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", "name": "[debian-lts-announce] 20190326 [SECURITY] [DLA 1730-1] libssh2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20190327-0005/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:0679", "name": "RHSA-2019:0679", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "name": "openSUSE-SU-2019:1075", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "name": "openSUSE-SU-2019:1109", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", "name": "FEDORA-2019-3348cb4934", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://www.debian.org/security/2019/dsa-4431", "name": "DSA-4431", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"]}, {"url": "https://seclists.org/bugtraq/2019/Apr/25", "name": "20190415 [SECURITY] [DSA 4431-1] libssh2 security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:1175", "name": "RHSA-2019:1175", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:1652", "name": "RHSA-2019:1652", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:1791", "name": "RHSA-2019:1791", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:1943", "name": "RHSA-2019:1943", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:2399", "name": "RHSA-2019:2399", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:19:18.614Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-3863", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-23T13:20:45.609039Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T13:20:46.967Z"}}], "cna": {"metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "The libssh2 Project", "product": "libssh2", "versions": [{"status": "affected", "version": "1.8.1"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://www.libssh2.org/CVE-2019-3863.html", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", "name": "[debian-lts-announce] 20190326 [SECURITY] [DLA 1730-1] libssh2 security update", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://security.netapp.com/advisory/ntap-20190327-0005/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:0679", "name": "RHSA-2019:0679", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "name": "openSUSE-SU-2019:1075", "tags": ["vendor-advisory", "x_refsource_SUSE"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "name": "openSUSE-SU-2019:1109", "tags": ["vendor-advisory", "x_refsource_SUSE"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", "name": "FEDORA-2019-3348cb4934", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://www.debian.org/security/2019/dsa-4431", "name": "DSA-4431", "tags": ["vendor-advisory", "x_refsource_DEBIAN"]}, {"url": "https://seclists.org/bugtraq/2019/Apr/25", "name": "20190415 [SECURITY] [DSA 4431-1] libssh2 security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:1175", "name": "RHSA-2019:1175", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:1652", "name": "RHSA-2019:1652", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:1791", "name": "RHSA-2019:1791", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:1943", "name": "RHSA-2019:1943", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:2399", "name": "RHSA-2019:2399", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2019-10-16T17:41:00.000Z"}, "x_legacyV4Record": {"impact": {"cvss": [[{"version": "3.0", "vectorString": "7.5/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]]}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.8.1"}]}, "product_name": "libssh2"}]}, "vendor_name": "The libssh2 Project"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", "refsource": "CONFIRM"}, {"url": "https://www.libssh2.org/CVE-2019-3863.html", "name": "https://www.libssh2.org/CVE-2019-3863.html", "refsource": "MISC"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", "name": "[debian-lts-announce] 20190326 [SECURITY] [DLA 1730-1] libssh2 security update", "refsource": "MLIST"}, {"url": "https://security.netapp.com/advisory/ntap-20190327-0005/", "name": "https://security.netapp.com/advisory/ntap-20190327-0005/", "refsource": "CONFIRM"}, {"url": "https://access.redhat.com/errata/RHSA-2019:0679", "name": "RHSA-2019:0679", "refsource": "REDHAT"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "name": "openSUSE-SU-2019:1075", "refsource": "SUSE"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "name": "openSUSE-SU-2019:1109", "refsource": "SUSE"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", "name": "FEDORA-2019-3348cb4934", "refsource": "FEDORA"}, {"url": "https://www.debian.org/security/2019/dsa-4431", "name": "DSA-4431", "refsource": "DEBIAN"}, {"url": "https://seclists.org/bugtraq/2019/Apr/25", "name": "20190415 [SECURITY] [DSA 4431-1] libssh2 security update", "refsource": "BUGTRAQ"}, {"url": "https://access.redhat.com/errata/RHSA-2019:1175", "name": "RHSA-2019:1175", "refsource": "REDHAT"}, {"url": "https://access.redhat.com/errata/RHSA-2019:1652", "name": "RHSA-2019:1652", "refsource": "REDHAT"}, {"url": "https://access.redhat.com/errata/RHSA-2019:1791", "name": "RHSA-2019:1791", "refsource": "REDHAT"}, {"url": "https://access.redhat.com/errata/RHSA-2019:1943", "name": "RHSA-2019:1943", "refsource": "REDHAT"}, {"url": "https://access.redhat.com/errata/RHSA-2019:2399", "name": "RHSA-2019:2399", "refsource": "REDHAT"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-190"}]}, {"description": [{"lang": "eng", "value": "CWE-787"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-3863", "STATE": "PUBLIC", "ASSIGNER": "secalert@redhat.com"}}}}, "cveMetadata": {"cveId": "CVE-2019-3863", "state": "PUBLISHED", "dateUpdated": "2025-04-23T19:48:19.703Z", "dateReserved": "2019-01-03T00:00:00.000Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2019-03-25T17:52:10.000Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*", "matchCriteriaId": "23E074D8-B71C-4C02-9383-F419F9C6EFB2", "versionEndExcluding": "1.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", "matchCriteriaId": "5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B353CE99-D57C-465B-AAB0-73EF581127D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "BF77CDCF-B9C9-427D-B2BF-36650FB2148C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error."}, {"lang": "es", "value": "Se ha descubierto un problema en versiones anteriores a la 1.8.1 de libssh2. Un servidor podr\u00eda enviar m\u00faltiples mensajes de respuesta interactiva mediante teclado cuya longitud total es mayor que el los caracteres no firmados char max. El valor se utiliza como \u00edndice para copiar memoria causando un error de escritura de memoria fuera de l\u00edmites."}], "id": "CVE-2019-3863", "lastModified": "2024-11-21T04:42:44.777", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-25T18:29:01.590", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:0679"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2019:1175"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2019:1652"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2019:1791"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2019:1943"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2019:2399"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/"}, {"source": "secalert@redhat.com", "url": "https://seclists.org/bugtraq/2019/Apr/25"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190327-0005/"}, {"source": "secalert@redhat.com", "url": "https://www.debian.org/security/2019/dsa-4431"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.libssh2.org/CVE-2019-3863.html"}, {"source": "secalert@redhat.com", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:0679"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2019:1175"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2019:1652"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2019:1791"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2019:1943"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2019:2399"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://seclists.org/bugtraq/2019/Apr/25"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190327-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2019/dsa-4431"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.libssh2.org/CVE-2019-3863.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-787"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the libssh2 project for reporting this issue. Upstream acknowledges Chris Coulson (Canonical Ltd.) as the original reporter.", "affected_release": [{"advisory": "RHSA-2019:1652", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "libssh2-0:1.4.2-3.el6_10.1", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2019-07-02T00:00:00Z"}, {"advisory": "RHSA-2019:0679", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "libssh2-0:1.4.3-12.el7_6.2", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-03-28T00:00:00Z"}, {"advisory": "RHSA-2019:2399", "cpe": "cpe:/o:redhat:rhel_aus:7.3", "package": "libssh2-0:1.4.3-11.el7_3.1", "product_name": "Red Hat Enterprise Linux 7.3 Advanced Update Support", "release_date": "2019-08-07T00:00:00Z"}, {"advisory": "RHSA-2019:2399", "cpe": "cpe:/o:redhat:rhel_tus:7.3", "package": "libssh2-0:1.4.3-11.el7_3.1", "product_name": "Red Hat Enterprise Linux 7.3 Telco Extended Update Support", "release_date": "2019-08-07T00:00:00Z"}, {"advisory": "RHSA-2019:2399", "cpe": "cpe:/o:redhat:rhel_e4s:7.3", "package": "libssh2-0:1.4.3-11.el7_3.1", "product_name": "Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions", "release_date": "2019-08-07T00:00:00Z"}, {"advisory": "RHSA-2019:1943", "cpe": "cpe:/o:redhat:rhel_eus:7.4", "package": "libssh2-0:1.4.3-11.el7_4.1", "product_name": "Red Hat Enterprise Linux 7.4 Extended Update Support", "release_date": "2019-07-30T00:00:00Z"}, {"advisory": "RHSA-2019:1791", "cpe": "cpe:/o:redhat:rhel_eus:7.5", "package": "libssh2-0:1.4.3-11.el7_5.1", "product_name": "Red Hat Enterprise Linux 7.5 Extended Update Support", "release_date": "2019-07-16T00:00:00Z"}, {"advisory": "RHSA-2019:1175", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt:rhel-8000020190510171727.55190bc5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-05-14T00:00:00Z"}], "bugzilla": {"description": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes", "id": "1687313", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1687313"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-190->CWE-787", "details": ["A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.", "A flaw was found in libssh2. A server could send a multiple keyboard interactive response messages, whose total length are greater than the unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error. The highest threat from this vulnerability is to data confidentiality and integrity and system availability."], "name": "CVE-2019-3863", "package_state": [{"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Affected", "package_name": "virt:8.0.0/libssh2", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "impact": "low", "package_name": "redhat-virtualization-host", "product_name": "Red Hat Virtualization 4"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "impact": "low", "package_name": "rhvm-appliance", "product_name": "Red Hat Virtualization 4"}], "public_date": "2019-03-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-3863\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3863\nhttps://www.libssh2.org/CVE-2019-3863.html"], "statement": "This flaw was present in libssh2 packages included in Red Hat Virtualization Hypervisor and Management Appliance, however libssh2 in these hosts is never exposed to malicious clients or servers.", "threat_severity": "Important"}