Vulnerability-Lookup

RHSA-2018:1124

Vulnerability from csaf_redhat - Published: 2018-04-12 21:45 - Updated: 2025-11-21 18:04

Summary

Red Hat Security Advisory: python-paramiko security update

Severity

Critical

Notes

Topic: An update for python-paramiko is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: The python-paramiko package provides a Python module that implements the SSH2 protocol for encrypted and authenticated connections to remote machines. Unlike SSL, the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. The protocol also includes the ability to open arbitrary channels to remote services across an encrypted tunnel. Security Fix(es): * python-paramiko: Authentication bypass in transport.py (CVE-2018-7750) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2018-7750

It was found that when acting as an SSH server, paramiko did not properly check whether authentication is completed before processing other requests. A customized SSH client could use this to bypass authentication when accessing any resources controlled by paramiko.

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-287 - Improper Authentication

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: 6Client-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch	—	Vendor Fix fix
Unresolved product id: 6Client-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src	—	Vendor Fix fix
Unresolved product id: 6ComputeNode-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch	—	Vendor Fix fix
Unresolved product id: 6ComputeNode-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src	—	Vendor Fix fix
Unresolved product id: 6Server-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch	—	Vendor Fix fix
Unresolved product id: 6Server-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src	—	Vendor Fix fix
Unresolved product id: 6Workstation-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch	—	Vendor Fix fix
Unresolved product id: 6Workstation-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src	—	Vendor Fix fix

Threats

Impact Critical

References

8 references

URL	Category
https://access.redhat.com/errata/RHSA-2018:1124	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=1557130	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2018-7750	self
https://bugzilla.redhat.com/show_bug.cgi?id=1557130	external
https://www.cve.org/CVERecord?id=CVE-2018-7750	external
https://nvd.nist.gov/vuln/detail/CVE-2018-7750	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for python-paramiko is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The python-paramiko package provides a Python module that implements the SSH2 protocol for encrypted and authenticated connections to remote machines. Unlike SSL, the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. The protocol also includes the ability to open arbitrary channels to remote services across an encrypted tunnel.\n\nSecurity Fix(es):\n\n* python-paramiko: Authentication bypass in transport.py (CVE-2018-7750)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2018:1124",
        "url": "https://access.redhat.com/errata/RHSA-2018:1124"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "1557130",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1557130"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_1124.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-paramiko security update",
    "tracking": {
      "current_release_date": "2025-11-21T18:04:20+00:00",
      "generator": {
        "date": "2025-11-21T18:04:20+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2018:1124",
      "initial_release_date": "2018-04-12T21:45:18+00:00",
      "revision_history": [
        {
          "date": "2018-04-12T21:45:18+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2018-04-12T21:45:18+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T18:04:20+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Desktop (v. 6)",
                "product": {
                  "name": "Red Hat Enterprise Linux Desktop (v. 6)",
                  "product_id": "6Client-6.9.z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:6::client"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux HPC Node (v. 6)",
                "product": {
                  "name": "Red Hat Enterprise Linux HPC Node (v. 6)",
                  "product_id": "6ComputeNode-6.9.z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:6::computenode"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Server (v. 6)",
                "product": {
                  "name": "Red Hat Enterprise Linux Server (v. 6)",
                  "product_id": "6Server-6.9.z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:6::server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Workstation (v. 6)",
                "product": {
                  "name": "Red Hat Enterprise Linux Workstation (v. 6)",
                  "product_id": "6Workstation-6.9.z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:6::workstation"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-paramiko-0:1.7.5-4.el6_9.src",
                "product": {
                  "name": "python-paramiko-0:1.7.5-4.el6_9.src",
                  "product_id": "python-paramiko-0:1.7.5-4.el6_9.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-paramiko@1.7.5-4.el6_9?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-paramiko-0:1.7.5-4.el6_9.noarch",
                "product": {
                  "name": "python-paramiko-0:1.7.5-4.el6_9.noarch",
                  "product_id": "python-paramiko-0:1.7.5-4.el6_9.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-paramiko@1.7.5-4.el6_9?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-paramiko-0:1.7.5-4.el6_9.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)",
          "product_id": "6Client-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch"
        },
        "product_reference": "python-paramiko-0:1.7.5-4.el6_9.noarch",
        "relates_to_product_reference": "6Client-6.9.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-paramiko-0:1.7.5-4.el6_9.src as a component of Red Hat Enterprise Linux Desktop (v. 6)",
          "product_id": "6Client-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src"
        },
        "product_reference": "python-paramiko-0:1.7.5-4.el6_9.src",
        "relates_to_product_reference": "6Client-6.9.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-paramiko-0:1.7.5-4.el6_9.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)",
          "product_id": "6ComputeNode-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch"
        },
        "product_reference": "python-paramiko-0:1.7.5-4.el6_9.noarch",
        "relates_to_product_reference": "6ComputeNode-6.9.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-paramiko-0:1.7.5-4.el6_9.src as a component of Red Hat Enterprise Linux HPC Node (v. 6)",
          "product_id": "6ComputeNode-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src"
        },
        "product_reference": "python-paramiko-0:1.7.5-4.el6_9.src",
        "relates_to_product_reference": "6ComputeNode-6.9.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-paramiko-0:1.7.5-4.el6_9.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
          "product_id": "6Server-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch"
        },
        "product_reference": "python-paramiko-0:1.7.5-4.el6_9.noarch",
        "relates_to_product_reference": "6Server-6.9.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-paramiko-0:1.7.5-4.el6_9.src as a component of Red Hat Enterprise Linux Server (v. 6)",
          "product_id": "6Server-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src"
        },
        "product_reference": "python-paramiko-0:1.7.5-4.el6_9.src",
        "relates_to_product_reference": "6Server-6.9.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-paramiko-0:1.7.5-4.el6_9.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
          "product_id": "6Workstation-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch"
        },
        "product_reference": "python-paramiko-0:1.7.5-4.el6_9.noarch",
        "relates_to_product_reference": "6Workstation-6.9.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-paramiko-0:1.7.5-4.el6_9.src as a component of Red Hat Enterprise Linux Workstation (v. 6)",
          "product_id": "6Workstation-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src"
        },
        "product_reference": "python-paramiko-0:1.7.5-4.el6_9.src",
        "relates_to_product_reference": "6Workstation-6.9.z"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-7750",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "discovery_date": "2018-03-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1557130"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that when acting as an SSH server, paramiko did not properly check whether authentication is completed before processing other requests. A customized SSH client could use this to bypass authentication when accessing any resources controlled by paramiko.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-paramiko: Authentication bypass in transport.py",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw is a user authentication bypass in the SSH Server functionality of paramiko (normally used by subclassing `paramiko.ServerInterface`). Where paramiko is used only for its client-side functionality (e.g. `paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be exploited.\n\nThe following Red Hat products use paramiko only in client-side mode. Server side functionality is not used.\n\n* Red Hat Ceph Storage 2\n* Red Hat CloudForms 4\n* Red Hat Enterprise Linux 7\n* Red Hat Enterprise Virtualization\n* Red Hat Gluster Storage 3\n* Red Hat Openshift Container Platform\n* Red Hat Quick Cloud Installer\n* Red Hat Satellite 6\n* Red Hat Storage Console 2\n* Red Hat OpenStack Platform\n* Red Hat Update Infrastructure",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Client-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
          "6Client-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src",
          "6ComputeNode-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
          "6ComputeNode-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src",
          "6Server-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
          "6Server-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src",
          "6Workstation-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
          "6Workstation-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-7750"
        },
        {
          "category": "external",
          "summary": "RHBZ#1557130",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1557130"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-7750",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-7750"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-7750",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7750"
        }
      ],
      "release_date": "2018-03-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2018-04-12T21:45:18+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Client-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
            "6Client-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src",
            "6ComputeNode-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
            "6ComputeNode-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src",
            "6Server-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
            "6Server-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src",
            "6Workstation-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
            "6Workstation-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2018:1124"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "6Client-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
            "6Client-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src",
            "6ComputeNode-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
            "6ComputeNode-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src",
            "6Server-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
            "6Server-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src",
            "6Workstation-6.9.z:python-paramiko-0:1.7.5-4.el6_9.noarch",
            "6Workstation-6.9.z:python-paramiko-0:1.7.5-4.el6_9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "python-paramiko: Authentication bypass in transport.py"
    }
  ]
}

CVE-2018-7750 (GCVE-0-2018-7750)

Vulnerability from cvelistv5 – Published: 2018-03-13 18:00 – Updated: 2024-08-05 06:37

Summary

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

18 references

URL	Tags
https://access.redhat.com/errata/RHSA-2018:1124	vendor-advisoryx_refsource_REDHAT
https://www.exploit-db.com/exploits/45712/	exploitx_refsource_EXPLOIT-DB
https://github.com/paramiko/paramiko/issues/1175	x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:1125	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1972	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1274	vendor-advisoryx_refsource_REDHAT
https://lists.debian.org/debian-lts-announce/2018…	mailing-listx_refsource_MLIST
https://usn.ubuntu.com/3603-2/	vendor-advisoryx_refsource_UBUNTU
https://access.redhat.com/errata/RHSA-2018:0646	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1213	vendor-advisoryx_refsource_REDHAT
https://usn.ubuntu.com/3603-1/	vendor-advisoryx_refsource_UBUNTU
https://access.redhat.com/errata/RHSA-2018:1525	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1328	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:0591	vendor-advisoryx_refsource_REDHAT
http://www.securityfocus.com/bid/103713	vdb-entryx_refsource_BID
https://github.com/paramiko/paramiko/commit/fa29b…	x_refsource_CONFIRM
https://github.com/paramiko/paramiko/blob/master/…	x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2021…	mailing-listx_refsource_MLIST

Date Public ?

2018-03-13 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:37:58.928Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2018:1124",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1124"
          },
          {
            "name": "45712",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/45712/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/paramiko/paramiko/issues/1175"
          },
          {
            "name": "RHSA-2018:1125",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1125"
          },
          {
            "name": "RHSA-2018:1972",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1972"
          },
          {
            "name": "RHSA-2018:1274",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1274"
          },
          {
            "name": "[debian-lts-announce] 20181027 [SECURITY] [DLA 1556-1] paramiko security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html"
          },
          {
            "name": "USN-3603-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3603-2/"
          },
          {
            "name": "RHSA-2018:0646",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0646"
          },
          {
            "name": "RHSA-2018:1213",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1213"
          },
          {
            "name": "USN-3603-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3603-1/"
          },
          {
            "name": "RHSA-2018:1525",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1525"
          },
          {
            "name": "RHSA-2018:1328",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1328"
          },
          {
            "name": "RHSA-2018:0591",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0591"
          },
          {
            "name": "103713",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/103713"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rst"
          },
          {
            "name": "[debian-lts-announce] 20211228 [SECURITY] [DLA 2860-1] paramiko security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-03-13T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-28T12:06:17.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "RHSA-2018:1124",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1124"
        },
        {
          "name": "45712",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/45712/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/paramiko/paramiko/issues/1175"
        },
        {
          "name": "RHSA-2018:1125",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1125"
        },
        {
          "name": "RHSA-2018:1972",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1972"
        },
        {
          "name": "RHSA-2018:1274",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1274"
        },
        {
          "name": "[debian-lts-announce] 20181027 [SECURITY] [DLA 1556-1] paramiko security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html"
        },
        {
          "name": "USN-3603-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3603-2/"
        },
        {
          "name": "RHSA-2018:0646",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0646"
        },
        {
          "name": "RHSA-2018:1213",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1213"
        },
        {
          "name": "USN-3603-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3603-1/"
        },
        {
          "name": "RHSA-2018:1525",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1525"
        },
        {
          "name": "RHSA-2018:1328",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1328"
        },
        {
          "name": "RHSA-2018:0591",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0591"
        },
        {
          "name": "103713",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/103713"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rst"
        },
        {
          "name": "[debian-lts-announce] 20211228 [SECURITY] [DLA 2860-1] paramiko security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-7750",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2018:1124",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1124"
            },
            {
              "name": "45712",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/45712/"
            },
            {
              "name": "https://github.com/paramiko/paramiko/issues/1175",
              "refsource": "CONFIRM",
              "url": "https://github.com/paramiko/paramiko/issues/1175"
            },
            {
              "name": "RHSA-2018:1125",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1125"
            },
            {
              "name": "RHSA-2018:1972",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1972"
            },
            {
              "name": "RHSA-2018:1274",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1274"
            },
            {
              "name": "[debian-lts-announce] 20181027 [SECURITY] [DLA 1556-1] paramiko security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html"
            },
            {
              "name": "USN-3603-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3603-2/"
            },
            {
              "name": "RHSA-2018:0646",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0646"
            },
            {
              "name": "RHSA-2018:1213",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1213"
            },
            {
              "name": "USN-3603-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3603-1/"
            },
            {
              "name": "RHSA-2018:1525",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1525"
            },
            {
              "name": "RHSA-2018:1328",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1328"
            },
            {
              "name": "RHSA-2018:0591",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0591"
            },
            {
              "name": "103713",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/103713"
            },
            {
              "name": "https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516",
              "refsource": "CONFIRM",
              "url": "https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516"
            },
            {
              "name": "https://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rst",
              "refsource": "CONFIRM",
              "url": "https://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rst"
            },
            {
              "name": "[debian-lts-announce] 20211228 [SECURITY] [DLA 2860-1] paramiko security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-7750",
    "datePublished": "2018-03-13T18:00:00.000Z",
    "dateReserved": "2018-03-07T00:00:00.000Z",
    "dateUpdated": "2024-08-05T06:37:58.928Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2018:1124

CVE-2018-7750 (GCVE-0-2018-7750)

Tags

Sightings

Nomenclature