A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.
Metrics
Affected Vendors & Products
Advisories
Source | ID | Title |
---|---|---|
![]() |
DLA-2038-1 | libssh security update |
![]() |
DLA-3437-1 | libssh security update |
![]() |
EUVD-2019-5997 | A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target. |
![]() |
USN-4219-1 | libssh vulnerability |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
No history.

Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2024-08-05T00:26:39.148Z
Reserved: 2019-08-10T00:00:00
Link: CVE-2019-14889

No data.

Status : Modified
Published: 2019-12-10T23:15:10.580
Modified: 2024-11-21T04:27:37.110
Link: CVE-2019-14889


No data.