<p>Upgrade <code>Amazon-Linux:2018.03</code> <code>libssh2</code> to version 0:1.4.2-3.13.amzn1 or higher.<br>This issue was patched in <code>ALAS-2023-1756</code>.</p>

Out-of-bounds Read Affecting libssh2 package, versions <0:1.4.2-3.13.amzn1

Snyk CVSS

Attack Complexity High

User Interaction Required

Threat Intelligence

EPSS 4.63% (93^rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-AMZN201803-LIBSSH2-5668902
published 7 Jun 2023
disclosed 25 Mar 2019

Report a new vulnerability Found a mistake?

Introduced: 25 Mar 2019

CVE-2019-3860 Open this link in a new tab CWE-125 Open this link in a new tab

How to fix?

Upgrade Amazon-Linux:2018.03 libssh2 to version 0:1.4.2-3.13.amzn1 or higher.
This issue was patched in ALAS-2023-1756.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.