6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.4 High
AI Score
Confidence
Low
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.006 Low
EPSS
Percentile
78.3%
Software: libssh 0.9.6
OS: ROSA Virtualization 2.1
package_evr_string: libssh-0.9.6-10.rv3.src.rpm
CVE-ID: CVE-2021-3634
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: A bug was discovered in libssh for versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets throughout a session. One is called secret_hash and the other is called session_id. Initially both are the same, but after the keys are exchanged again, the previous session_id is stored and used as input for the new secret_hash. Historically, both of these buffers shared a common variable length, which worked as long as the buffers were the same. But a rekeying operation can also change the key exchange method, which can be based on a different sized hash, ultimately creating a different sized “secret_hash” than the session_id. This becomes a problem when the session_id memory is zeroed out or when it is reused during a second key exchange.
CVE-STATUS: Fixed
CVE-REV: Run the yum update libssh command to close it
CVE-ID: CVE-2023-1667
BDU-ID: 2023-03857
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the LibSSH client authentication library is related to pointer dereferencing errors. Exploitation of the vulnerability allows an attacker acting remotely to cause a denial of service
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update libssh command
CVE-ID: CVE-2023-2283
BDU-ID: 2023-05381
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the pki_verify_data_signature() function of the LibSSH client authentication library is related to a flaw in the authentication procedure. Exploitation of the vulnerability could allow an attacker acting remotely to bypass security restrictions and gain unauthorized access to protected information
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update libssh command
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.4 High
AI Score
Confidence
Low
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.006 Low
EPSS
Percentile
78.3%