VDB

ALPINE-CVE-2019-14889

ALPINE-CVE-2019-14889 PUBLISHED CVSS 8.800000190734863 HIGH

A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

Risk Scores

CVSS 3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Alpine:v3.8libssh0.4.5-r0, 0.9.0, 0.7.6-r0
Alpine:v3.11libssh0.6.0-r0, 0, 0.4.5-r0
Alpine:v3.9libssh0.7.2-r0, 0.4.6-r0, 0.5.1-r0
Alpine:v3.10libssh0.7.5-r1, 0.7.3-r0, 0.7.0-r0

Timeline

  • Dec 10, 2019 CVE Published
  • Apr 30, 2026 Distribution Patch
  • Jul 8, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›