CVE-2018-7750
CRITICAL9.8EPSS 13.8%Paramiko not properly checking authentication before processing other requests
發布日:2018/7/12修改日:2026/4/28
描述
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
受影響套件(4)
- Alpine/py3-paramikofrom 0, < 2.4.1-r0
- Debian/paramikofrom 0, < 2.4.2-0.1
- PyPI/paramiko>= 2.0.0, < 2.0.8
- PyPI/paramikofrom 0, < fa29bd8446c8eab237f5187d28787727b4610516 | from 0, < 1.17.6, >= 2.0.0, < 2.0.8, >= 2.1.0, < 2.1.5, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.2, >= 1.18.0, < 1.18.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(30)
- ADVISORYhttps://github.com/advisories/GHSA-232r-66cg-79px
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-7750
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2018-7750
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-7750
- PATCHhttps://github.com/paramiko/paramiko
- WEBhttps://access.redhat.com/errata/RHSA-2018:0591
- WEBhttps://access.redhat.com/errata/RHSA-2018:0646
- WEBhttps://access.redhat.com/errata/RHSA-2018:1124
- WEBhttps://access.redhat.com/errata/RHSA-2018:1125
- WEBhttps://access.redhat.com/errata/RHSA-2018:1213
- WEBhttps://access.redhat.com/errata/RHSA-2018:1274
- WEBhttps://access.redhat.com/errata/RHSA-2018:1328
- WEBhttps://access.redhat.com/errata/RHSA-2018:1525
- WEBhttps://access.redhat.com/errata/RHSA-2018:1972
- WEBhttps://github.com/paramiko/paramiko/blob/e861c7697622774071ce73b46ffe8817eacdedfa/sites/www/changelog.rst?plain=1#L759-L763
- WEBhttps://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rst
- WEBhttps://github.com/paramiko/paramiko/commit/e9dfd854bdaf8af15d7834f7502a0451d217bb8c
- WEBhttps://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516
- WEBhttps://github.com/paramiko/paramiko/issues/1175
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2018-19.yaml
- WEBhttps://lists.debian.org/debian-lts-announce/2018/10/msg00018.html
- WEBhttps://lists.debian.org/debian-lts-announce/2021/12/msg00025.html
- WEBhttps://usn.ubuntu.com/3603-1
- WEBhttps://usn.ubuntu.com/3603-1/
- WEBhttps://usn.ubuntu.com/3603-2
- WEBhttps://usn.ubuntu.com/3603-2/
- WEBhttps://web.archive.org/web/20190831123128/http://www.securityfocus.com/bid/103713
- WEBhttps://www.exploit-db.com/exploits/45712
- WEBhttps://www.exploit-db.com/exploits/45712/
- WEBhttp://www.securityfocus.com/bid/103713