Unchecked Return Value Affecting libssh2 package, versions *
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CENTOS7-LIBSSH2-6131682
- published 19 Dec 2023
- disclosed 18 Dec 2023
Introduced: 18 Dec 2023
CVE-2023-6918 Open this link in a new tabHow to fix?
There is no fixed version for Centos:7 libssh2.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Centos.
See How to fix? for Centos:7 relevant fixed versions and status.
A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.
References
- https://access.redhat.com/security/cve/CVE-2023-6918
- https://bugzilla.redhat.com/show_bug.cgi?id=2254997
- https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
- https://www.libssh.org/security/advisories/CVE-2023-6918.txt
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
- https://access.redhat.com/errata/RHSA-2024:2504