PublicDateAtUSN: 2019-12-10 15:00:00 UTC
Candidate: CVE-2019-14889
CRD: 2019-12-10 15:00:00 UTC
PublicDate: 2019-12-10 23:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14889
 https://www.libssh.org/security/advisories/CVE-2019-14889.txt
 https://ubuntu.com/security/notices/USN-4219-1
Description:
 A flaw was found with the libssh API function ssh_scp_new() in versions
 before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a
 server, the scp command, which includes a user-provided path, is executed
 on the server-side. In case the library is used in a way where users can
 influence the third parameter of the function, it would become possible for
 an attacker to inject arbitrary commands, leading to a compromise of the
 remote target.
Ubuntu-Description: 
Notes: 
Mitigation: 
Bugs: 
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H [8.0 HIGH]


Patches_libssh:
upstream_libssh: released (0.8.8,0.9.3)
precise/esm_libssh: DNE
trusty_libssh: ignored (out of standard support)
trusty/esm_libssh: DNE
xenial_libssh: released (0.6.3-4.3ubuntu0.5)
esm-infra/xenial_libssh: released (0.6.3-4.3ubuntu0.5)
bionic_libssh: released (0.8.0~20170825.94fa1e38-1ubuntu0.5)
disco_libssh: released (0.8.6-3ubuntu0.3)
eoan_libssh: released (0.9.0-1ubuntu1.3)
devel_libssh: released (0.9.0-1ubuntu5)