{"id":"USN-5308-1","summary":"libssh2 vulnerabilities","details":"It was discovered that libssh2 mishandled certain input. If libssh2 were\nused to connect to a malicious or compromised SSH server, a remote,\nunauthenticated attacker could possibly execute arbitrary code on the client \nsystem. (CVE-2019-3855)\n\nIt was discovered that libssh2 incorrectly handled prompt requests. A\nremote attacker could possibly use this issue to execute arbitrary code.\n(CVE-2019-3856)\n\nIt was discovered that libssh2 incorrectly handled SSH_MSG_CHANNEL_REQUEST\npackets. A remote attacker could possibly use this issue to execute\narbitrary code, cause a denial of service, or obtain sensitive information. \n(CVE-2019-3857, CVE-2019-3862)\n\nIt was discovered that libssh2 incorrectly handled specially crafted SFTP\npackets. A remote attacker could possibly use this issue to cause a denial\nof service or obtain sensitive information. (CVE-2019-3858)\n\nIt was discovered that libssh2 incorrectly handled certain specially\ncrafted packets. A remote attacker could possibly use this issue to cause a\ndenial of service or obtain sensitive information. (CVE-2019-3859)\n\nIt was discovered that libssh2 incorrectly handled SFTP packets with empty\npayloads. A remote attacker could possibly use this issue to cause a denial\nof service or obtain sensitive information. (CVE-2019-3860)\n\nIt was discovered that libssh2 incorrectly handled padding values in SSH\npackets. A remote attacker could possibly use this issue to cause a denial\nof service or obtain sensitive information. (CVE-2019-3861)\n\nIt was discovered that libssh2 incorrectly handled interactive response\nmessages length. A remote attacker could possibly use this issue to execute\narbitrary code. (CVE-2019-3863)\n\nIt was discovered that libssh2 incorrectly handled the Diffie Hellman key\nexchange. A remote attacker could possibly use this issue to cause a denial\nof service or obtain sensitive information. (CVE-2019-13115)\n\nIt was discovered that libssh2 incorrectly handled bound checks in\nSSH_MSG_DISCONNECT. A remote attacker could possibly use this issue to\ncause a denial of service or obtain sensitive information. (CVE-2019-17498)\n","modified":"2026-04-27T16:21:57.505847Z","published":"2022-03-07T23:47:01Z","related":["UBUNTU-CVE-2019-13115","UBUNTU-CVE-2019-17498","UBUNTU-CVE-2019-3855","UBUNTU-CVE-2019-3856","UBUNTU-CVE-2019-3857","UBUNTU-CVE-2019-3858","UBUNTU-CVE-2019-3859","UBUNTU-CVE-2019-3860","UBUNTU-CVE-2019-3861","UBUNTU-CVE-2019-3862","UBUNTU-CVE-2019-3863"],"upstream":["CVE-2019-13115","CVE-2019-17498","CVE-2019-3855","CVE-2019-3856","CVE-2019-3857","CVE-2019-3858","CVE-2019-3859","CVE-2019-3860","CVE-2019-3861","CVE-2019-3862","CVE-2019-3863","UBUNTU-CVE-2019-13115","UBUNTU-CVE-2019-17498","UBUNTU-CVE-2019-3855","UBUNTU-CVE-2019-3856","UBUNTU-CVE-2019-3857","UBUNTU-CVE-2019-3858","UBUNTU-CVE-2019-3859","UBUNTU-CVE-2019-3860","UBUNTU-CVE-2019-3861","UBUNTU-CVE-2019-3862","UBUNTU-CVE-2019-3863"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5308-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-3855"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-3856"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-3857"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-3858"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-3859"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-3860"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-3861"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-3862"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-3863"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-13115"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-17498"}],"affected":[{"package":{"name":"libssh2","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/libssh2@1.5.0-2ubuntu0.1+esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.0-2ubuntu0.1+esm1"}]}],"versions":["1.5.0-2","1.5.0-2ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.5.0-2ubuntu0.1+esm1","binary_name":"libssh2-1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2019-3855","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2019-3856","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2019-3857","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2019-3858","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2019-3859","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2019-3860","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2019-3861","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2019-3862","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2019-3863","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2019-13115","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2019-17498","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:16.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5308-1.json"}}],"schema_version":"1.7.5"}