CVE-2023-6918

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.

Published: Dec 19, 2023
Updated: May 10, 2024
CVE: CVE-2023-6918
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWEs:

CWE-252

Affected Software
References

Software	From	Fixed in
libssh / libssh	0.9.0	0.9.8
libssh / libssh	0.10.0	0.10.6
redhat / enterprise_linux	8.0	8.0.x
redhat / enterprise_linux	9.0	9.0.x
fedoraproject / fedora	38	38.x
fedoraproject / fedora	39	39.x

https://access.redhat.com/errata/RHSA-2024:2504
https://access.redhat.com/errata/RHSA-2024:3233
https://access.redhat.com/security/cve/CVE-2023-6918
https://bugzilla.redhat.com/show_bug.cgi?id=2254997
https://lists.fedoraproject.org/archives/list/[email protected]/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
https://lists.fedoraproject.org/archives/list/[email protected]/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
https://security.netapp.com/advisory/ntap-20250214-0009/
https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/
https://www.libssh.org/security/advisories/CVE-2023-6918.txt

Vulnerability Database

289,599

CVE-2023-6918