Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Canonical
  • Ubuntu Linux
Debian
  • Debian Linux
Paramiko
  • Paramiko
Redhat
  • Ansible Tower
  • Enterprise Linux
  • Enterprise Linux Desktop
  • Enterprise Linux Server
  • Enterprise Linux Server Aus
  • Enterprise Linux Server Eus
  • Enterprise Linux Server Tus
  • Enterprise Linux Workstation
  • Rhel Aus
  • Rhel Eus
  • Rhel Tus
  • Virtualization Host

Configuration 1 [-]

OR cpe:2.3:a:paramiko:paramiko:1.17.6:*:*:*:*:*:*:*
cpe:2.3:a:paramiko:paramiko:1.18.5:*:*:*:*:*:*:*
cpe:2.3:a:paramiko:paramiko:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:paramiko:paramiko:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:paramiko:paramiko:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:paramiko:paramiko:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:paramiko:paramiko:2.4.1:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 6
python-paramiko-0:1.7.5-5.el6_10 cpe:/o:redhat:enterprise_linux:6 RHSA-2018:3406 2018-10-30T00:00:00Z
Red Hat Enterprise Linux 6.4 Advanced Update Support
python-paramiko-0:1.7.5-4.el6_4.1 cpe:/o:redhat:rhel_aus:6.4 RHSA-2018:3406 2018-10-30T00:00:00Z
Red Hat Enterprise Linux 6.5 Advanced Update Support
python-paramiko-0:1.7.5-4.el6_5.1 cpe:/o:redhat:rhel_aus:6.5 RHSA-2018:3406 2018-10-30T00:00:00Z
Red Hat Enterprise Linux 6.6 Advanced Update Support
python-paramiko-0:1.7.5-4.el6_6.1 cpe:/o:redhat:rhel_aus:6.6 RHSA-2018:3406 2018-10-30T00:00:00Z
Red Hat Enterprise Linux 6.6 Telco Extended Update Support
python-paramiko-0:1.7.5-4.el6_6.1 cpe:/o:redhat:rhel_tus:6.6 RHSA-2018:3406 2018-10-30T00:00:00Z
Red Hat Enterprise Linux 6.7 Extended Update Support
python-paramiko-0:1.7.5-4.el6_7.1 cpe:/o:redhat:rhel_eus:6.7 RHSA-2018:3406 2018-10-30T00:00:00Z
Red Hat Enterprise Linux 7
python-paramiko-0:2.1.1-9.el7 cpe:/o:redhat:enterprise_linux:7 RHSA-2018:3347 2018-10-30T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
rhvm-appliance-0:4.2-20181026.1.el7 cpe:/o:redhat:enterprise_linux:7::hypervisor RHBA-2018:3497 2018-11-05T00:00:00Z
imgbased-0:1.0.29-1.el7ev cpe:/o:redhat:enterprise_linux:7::hypervisor RHSA-2018:3470 2018-11-05T00:00:00Z
redhat-release-virtualization-host-0:4.2-7.3.el7 cpe:/o:redhat:enterprise_linux:7::hypervisor RHSA-2018:3470 2018-11-05T00:00:00Z
redhat-virtualization-host-0:4.2-20181026.0.el7_6 cpe:/o:redhat:enterprise_linux:7::hypervisor RHSA-2018:3470 2018-11-05T00:00:00Z
References
Link Providers
https://access.redhat.com/errata/RHBA-2018:3497 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:3347 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:3406 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:3505 cve-icon cve-icon
https://github.com/paramiko/paramiko/issues/1283 cve-icon cve-icon
https://herolab.usd.de/wp-content/uploads/sites/4/usd20180023.txt cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2018-1000805 cve-icon
https://usn.ubuntu.com/3796-1/ cve-icon cve-icon
https://usn.ubuntu.com/3796-2/ cve-icon cve-icon
https://usn.ubuntu.com/3796-3/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2018-1000805 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-10-08T15:00:00

Updated: 2024-08-05T12:40:47.938Z

Reserved: 2018-09-10T00:00:00

Link: CVE-2018-1000805

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2018-10-08T15:29:00.713

Modified: 2022-04-06T18:35:37.670

Link: CVE-2018-1000805

cve-icon Redhat

Severity : Critical

Publid Date: 2018-09-07T00:00:00Z

Links: CVE-2018-1000805 - Bugzilla