VDB
PYSEC-2018-19
PYSEC-2018-19
PUBLISHED
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | paramiko | 0, 2.0.0, 2.1.0 |
Timeline
- Mar 13, 2018 CVE Published
- Oct 27, 2018 PoC Published
- Nov 8, 2023 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
References
- https://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rst url
- http://www.securityfocus.com/bid/103713 url
- https://github.com/advisories/GHSA-232r-66cg-79px advisory
- https://access.redhat.com/errata/RHSA-2018:1124 advisory
- https://access.redhat.com/errata/RHSA-2018:1213 advisory
- https://www.exploit-db.com/exploits/45712/ exploit
- https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516 fix
- https://github.com/paramiko/paramiko/issues/1175 discussion
- https://usn.ubuntu.com/3603-2/ advisory
- https://access.redhat.com/errata/RHSA-2018:0591 advisory
- https://usn.ubuntu.com/3603-1/ advisory
- https://access.redhat.com/errata/RHSA-2018:0646 advisory
- https://access.redhat.com/errata/RHSA-2018:1125 advisory
- https://access.redhat.com/errata/RHSA-2018:1274 advisory
- https://access.redhat.com/errata/RHSA-2018:1328 advisory
- https://access.redhat.com/errata/RHSA-2018:1525 advisory
- https://access.redhat.com/errata/RHSA-2018:1972 advisory
- https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html advisory