libssh2 - Heap Buffer Over-read via sftp_symlink() in sftp.c
Description
libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/libssh2/libssh2/commit/2dae3024897e1898d389835151f4e9606227721dmitrepatch
- www.vulncheck.com/advisories/libssh2-heap-buffer-over-read-via-sftp-symlink-in-sftp-cmitrethird-party-advisory
- github.com/libssh2/libssh2/pull/1705mitretechnical-description
- github.com/libssh2/libssh2/pull/1717mitreissue-tracking
News mentions
0No linked articles in our index yet.