CVE-2018-10933

A vulnerability was found in libsshs server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Libssh	Libssh	0.6.0 (including)	0.7.6 (excluding)
Libssh	Libssh	0.8.0 (including)	0.8.4 (excluding)

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://www.securityfocus.com/bid/105677
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10933
https://lists.debian.org/debian-lts-announce/2018/10/msg00010.html
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0016
https://security.netapp.com/advisory/ntap-20190118-0002/
https://usn.ubuntu.com/3795-1/
https://usn.ubuntu.com/3795-2/
https://www.debian.org/security/2018/dsa-4322
https://www.exploit-db.com/exploits/45638/
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-10933
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References