{"id":"PYSEC-2018-19","details":"transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.","aliases":["CVE-2018-7750","GHSA-232r-66cg-79px"],"modified":"2023-11-08T04:00:23.504429Z","published":"2018-03-13T18:29:00Z","references":[{"type":"FIX","url":"https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516"},{"type":"WEB","url":"https://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rst"},{"type":"REPORT","url":"https://github.com/paramiko/paramiko/issues/1175"},{"type":"WEB","url":"https://usn.ubuntu.com/3603-2/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0591"},{"type":"WEB","url":"https://usn.ubuntu.com/3603-1/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0646"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1125"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1124"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1213"},{"type":"WEB","url":"http://www.securityfocus.com/bid/103713"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1274"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1328"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1525"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1972"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html"},{"type":"WEB","url":"https://www.exploit-db.com/exploits/45712/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-232r-66cg-79px"}],"affected":[{"package":{"name":"paramiko","ecosystem":"PyPI","purl":"pkg:pypi/paramiko"},"ranges":[{"type":"GIT","repo":"https://github.com/paramiko/paramiko","events":[{"introduced":"0"},{"fixed":"fa29bd8446c8eab237f5187d28787727b4610516"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.17.6"},{"introduced":"2.0.0"},{"fixed":"2.0.8"},{"introduced":"2.1.0"},{"fixed":"2.1.5"},{"introduced":"2.2.0"},{"fixed":"2.2.3"},{"introduced":"2.3.0"},{"fixed":"2.3.2"},{"introduced":"1.18.0"},{"fixed":"1.18.5"}]}],"versions":["0.1-bulbasaur","0.1-charmander","0.9-doduo","0.9-eevee","0.9-fearow","0.9-gyarados","0.9-horsea","0.9-ivysaur","1.0","1.1","1.10.0","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.10.7","1.11.0","1.11.1","1.11.2","1.11.3","1.11.4","1.11.5","1.11.6","1.12.0","1.12.1","1.12.2","1.12.3","1.12.4","1.13.0","1.13.1","1.13.2","1.13.3","1.13.4","1.14.0","1.14.1","1.14.2","1.14.3","1.15.0","1.15.1","1.15.2","1.15.3","1.15.4","1.15.5","1.16.0","1.16.1","1.16.2","1.16.3","1.17.0","1.17.1","1.17.2","1.17.3","1.17.4","1.17.5","1.18.0","1.18.1","1.18.2","1.18.3","1.18.4","1.2","1.3","1.3.1","1.4","1.5.1","1.5.2","1.5.4","1.6","1.6.1","1.6.2","1.6.3","1.6.4","1.7","1.7.1","1.7.2","1.7.4","1.7.5","1.7.6","1.7.7.1","1.7.7.2","1.8.0","1.8.1","1.9.0","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.2.0","2.2.1","2.2.2","2.3.0","2.3.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/paramiko/PYSEC-2018-19.yaml"}}],"schema_version":"1.7.3"}