7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
44.6%
The fingerprint_b64 pointer is as parameter for failure logging after it is freed.
The following are the details of the code.
git commit a51f90ec0f74176776f5d14b99689f9241660eaa (HEAD -> master, origin/master, origin/HEAD)
In curl/lib/vssh/libssh2.c
653 static CURLcode ssh_check_fingerprint(struct Curl_easy *data)
654 {
โฆ
667 char *fingerprint_b64 = NULL;
โฆ
729 if((pub_pos != b64_pos) ||
730 strncmp(fingerprint_b64, pubkey_sha256, pub_pos)) {
731 free(fingerprint_b64);
732
733 failf(data,
734 "Denied establishing ssh session: mismatch sha256 fingerprint. "
735 โRemote %s is not equal to %sโ, fingerprint_b64, pubkey_sha256);
According to git blame, the following commits were involved:
d1e7d9197b lib/vssh/libssh2.c (Mats Lindestam 2021-09-26 23:20:53 +0200 731) free(fingerprint_b64);
d1e7d9197b lib/vssh/libssh2.c (Mats Lindestam 2021-09-26 23:20:53 +0200 732)
d1e7d9197b lib/vssh/libssh2.c (Mats Lindestam 2021-09-26 23:20:53 +0200 733) failf(data,
ff2f3e8367 lib/vssh/libssh2.c (Daniel Stenberg 2022-04-25 11:41:20 +0200 734) "Denied establishing ssh session: mismatch sha256 fingerprint. "
ff2f3e8367 lib/vssh/libssh2.c (Daniel Stenberg 2022-04-25 11:41:20 +0200 735) โRemote %s is not equal to %sโ, fingerprint_b64, pubkey_sha256);
Depends on which memory is the pointer fingerprint_b64 pointing to at the time failf() is called, it may either crash the application or it may print out whatever was in memory at the time leading to information leak in the fail log.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
44.6%