CVE-2018-1000805 : Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a In

Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.

Published 2018-10-08 15:29:01

Updated 2022-04-06 18:35:38

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2018-1000805

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 6.4
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 6.5
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 6.6
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 6.7
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 6.6
cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Virtualization Host » Version: 4.0
cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
Matching versions
Redhat » Ansible Tower » Version: 3.3
cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.10
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Matching versions
Paramiko » Paramiko » Version: 2.1.5
cpe:2.3:a:paramiko:paramiko:2.1.5:*:*:*:*:*:*:*
Matching versions
Paramiko » Paramiko » Version: 1.18.5
cpe:2.3:a:paramiko:paramiko:1.18.5:*:*:*:*:*:*:*
Matching versions
Paramiko » Paramiko » Version: 2.3.2
cpe:2.3:a:paramiko:paramiko:2.3.2:*:*:*:*:*:*:*
Matching versions
Paramiko » Paramiko » Version: 2.2.3
cpe:2.3:a:paramiko:paramiko:2.2.3:*:*:*:*:*:*:*
Matching versions
Paramiko » Paramiko » Version: 2.4.1
cpe:2.3:a:paramiko:paramiko:2.4.1:*:*:*:*:*:*:*
Matching versions
Paramiko » Paramiko » Version: 2.0.8
cpe:2.3:a:paramiko:paramiko:2.0.8:*:*:*:*:*:*:*
Matching versions
Paramiko » Paramiko » Version: 1.17.6
cpe:2.3:a:paramiko:paramiko:1.17.6:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-1000805

EPSS FAQ

0.25%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 65 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-1000805

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-1000805

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-1000805

https://access.redhat.com/errata/RHBA-2018:3497

RHBA-2018:3497 - Bug Fix Advisory - Red Hat Customer Portal
Third Party Advisory
https://usn.ubuntu.com/3796-3/

USN-3796-3: Paramiko vulnerability | Ubuntu security notices
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3505

RHSA-2018:3505 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html

[SECURITY] [DLA 1556-1] paramiko security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/paramiko/paramiko/issues/1283

[CVE-2018-1000805] Server-side auth vulnerability · Issue #1283 · paramiko/paramiko · GitHub
Patch;Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3406

RHSA-2018:3406 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://herolab.usd.de/wp-content/uploads/sites/4/usd20180023.txt

Broken Link
https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html

[SECURITY] [DLA 2860-1] paramiko security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/3796-2/

USN-3796-2: Paramiko vulnerability | Ubuntu security notices
Third Party Advisory
https://usn.ubuntu.com/3796-1/

USN-3796-1: Paramiko vulnerability | Ubuntu security notices
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3347

RHSA-2018:3347 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

Jump to

Vulnerability Details : CVE-2018-1000805

Products affected by CVE-2018-1000805

Exploit prediction scoring system (EPSS) score for CVE-2018-1000805

CVSS scores for CVE-2018-1000805

CWE ids for CVE-2018-1000805

References for CVE-2018-1000805