CVE-2019-3860

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-3860

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3860.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-3860

Downstream

ALPINE-CVE-2019-3860

DEBIAN-CVE-2019-3860

DLA-1730-1

DLA-1730-4

DSA-4431-1

SUSE-SU-2019:0655-1

SUSE-SU-2019:13982-1

SUSE-SU-2019:13997-1

SUSE-SU-2019:14098-1

SUSE-SU-2019:14099-1

SUSE-SU-2019:1606-1

SUSE-SU-2019:1606-2

SUSE-SU-2020:3551-1

UBUNTU-CVE-2019-3860

USN-5308-1

openSUSE-SU-2019:1109-1

openSUSE-SU-2020:2126-1

openSUSE-SU-2020:2129-1

openSUSE-SU-2024:10999-1

Related

Published

2019-03-25T19:29:01Z

Modified

2025-10-21T05:08:07.760065Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator

Summary

[none]

Details

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

References

Affected packages

Git / github.com/libssh2/libssh2

Affected ranges

Type: GIT
Repo: https://github.com/libssh2/libssh2
Events: Introduced

3f24fb005e78fd61fa37e797b17e733bd32b452f

Last affected

30e9c1347e3b8baa2951db612f05e6d87fc8e2f2

Affected versions

RELEASE.*

RELEASE.0.10

RELEASE.0.11

RELEASE.0.12

RELEASE.0.13

RELEASE.0.14

RELEASE.0.15

RELEASE.0.16

RELEASE.0.17

RELEASE.0.18

RELEASE.0.3

RELEASE.0.5

RELEASE.0.6

RELEASE.0.7

RELEASE.0.8

RELEASE.1.0

RELEASE.1.1

beforenb-0.*

beforenb-0.14

beforenb2-0.*

beforenb2-0.14

libssh2-1.*

libssh2-1.2

libssh2-1.2.1

libssh2-1.2.2

libssh2-1.2.3

libssh2-1.2.4

libssh2-1.2.5

libssh2-1.2.6

libssh2-1.2.7

libssh2-1.2.8

libssh2-1.2.9

libssh2-1.3.0

libssh2-1.4.0

libssh2-1.4.1

libssh2-1.4.2

libssh2-1.4.3

libssh2-1.5.0

libssh2-1.6.0

libssh2-1.7.0

libssh2-1.8.0