—
PYSEC-2018-19
Details
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / paramiko
Introduced in:
0 Fixed in: fa29bd8446c8eab237f5187d28787727b4610516 Fix
pip install --upgrade 'paramiko>=fa29bd8446c8eab237f5187d28787727b4610516' References
- https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516 [FIX]
- https://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rst [WEB]
- https://github.com/paramiko/paramiko/issues/1175 [REPORT]
- https://usn.ubuntu.com/3603-2/ [WEB]
- https://access.redhat.com/errata/RHSA-2018:0591 [ADVISORY]
- https://usn.ubuntu.com/3603-1/ [WEB]
- https://access.redhat.com/errata/RHSA-2018:0646 [ADVISORY]
- https://access.redhat.com/errata/RHSA-2018:1125 [ADVISORY]
- https://access.redhat.com/errata/RHSA-2018:1124 [ADVISORY]
- https://access.redhat.com/errata/RHSA-2018:1213 [ADVISORY]
- http://www.securityfocus.com/bid/103713 [WEB]
- https://access.redhat.com/errata/RHSA-2018:1274 [ADVISORY]
- https://access.redhat.com/errata/RHSA-2018:1328 [ADVISORY]
- https://access.redhat.com/errata/RHSA-2018:1525 [ADVISORY]
- https://access.redhat.com/errata/RHSA-2018:1972 [ADVISORY]
- https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html [WEB]
- https://www.exploit-db.com/exploits/45712/ [WEB]
- https://github.com/advisories/GHSA-232r-66cg-79px [ADVISORY]