Upgrade paramiko to version 2.0.9 or later (CVE-2018-1000805, CVE-2018-7750)
nhandler opened this issue · 2 comments
GitHub flagged the following security vulnerabilities affecting this repository.
https://nvd.nist.gov/vuln/detail/CVE-2018-1000805
CVE-2018-1000805
high severity
Vulnerable versions: < 2.0.9
Patched version: 2.0.9
Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.
https://nvd.nist.gov/vuln/detail/CVE-2018-7750
CVE-2018-7750
high severity
Vulnerable versions: < 1.17.6
Patched version: 1.17.6
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
@nhandler Thanks for reporting this. A bit confused though. If the patched version is 2.0.9 would '2.4.1, 2.3.2, 2.2.3, 2.1.5' be vulnerable versions with incorrect 'Incorrect Acces Control'?