CVE-2020-1730

Published: 4/13/2020 Last updated: 8/4/2024 Reserved: 11/27/2019

A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	5.3	Medium	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Opam packages affected (1)

libssh

Products affected (1)

Product	Vendor	Version
libssh	Red Hat	5.0.0 and earlier

References (14)

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLSWHBQ3EPKGTGLQNH554Z746BJ3C554/
https://usn.ubuntu.com/4327-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2A7BIFKUYIYKTY7FX4BEWVC2OHS5DPOU/
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.libssh.org/security/advisories/CVE-2020-1730.txt
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1730
https://security.netapp.com/advisory/ntap-20200424-0001/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLSWHBQ3EPKGTGLQNH554Z746BJ3C554/
https://usn.ubuntu.com/4327-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2A7BIFKUYIYKTY7FX4BEWVC2OHS5DPOU/
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.libssh.org/security/advisories/CVE-2020-1730.txt
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1730
https://security.netapp.com/advisory/ntap-20200424-0001/