Vulnerability Details : CVE-2023-6918
A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.
Products affected by CVE-2023-6918
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
- cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*
- cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-6918
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 33 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-6918
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
3.9
|
5.2
|
NIST | 2024-01-02 |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
NIST | 2024-01-04 |
3.7
|
LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
2.2
|
1.4
|
Red Hat, Inc. |
CWE ids for CVE-2023-6918
-
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2023-6918
-
https://access.redhat.com/security/cve/CVE-2023-6918
CVE-2023-6918- Red Hat Customer PortalMailing List;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2024:2504
RHSA-2024:2504 - Security Advisory - Red Hat 客户门户网站
-
https://bugzilla.redhat.com/show_bug.cgi?id=2254997
2254997 – (CVE-2023-6918) CVE-2023-6918 libssh: Missing checks for return values for digestsIssue Tracking;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2024:3233
RHSA-2024:3233 - Security Advisory - Red Hat Customer Portal
-
https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/
libssh 0.10.6 and libssh 0.9.8 security releases – libsshRelease Notes
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
[SECURITY] Fedora 39 Update: libssh-0.10.6-1.fc39 - package-announce - Fedora Mailing-ListsMailing List;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
[SECURITY] Fedora 38 Update: libssh-0.10.6-2.fc38 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://www.libssh.org/security/advisories/CVE-2023-6918.txt
Vendor Advisory
Jump to