NVD Vulnerability Detail

CVE-2023-6918

Summary	A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.
Publication Date	Dec. 19, 2023, 9:15 a.m.
Registration Date	Dec. 19, 2023, noon
Last Update	Nov. 21, 2024, 5:44 p.m.

Affected software configurations

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*
cpe:2.3:o:fedoraproject:fedora:38:::::::*
cpe:2.3:o:fedoraproject:fedora:39:::::::*

Related information, measures and tools

No	URL	タグ
1	https://access.redhat.com/errata/RHSA-2024:2504
2	https://access.redhat.com/errata/RHSA-2024:2504
3	https://access.redhat.com/errata/RHSA-2024:3233
4	https://access.redhat.com/errata/RHSA-2024:3233
5	https://access.redhat.com/security/cve/CVE-2023-6918	Mailing List Vendor Advisory
6	https://access.redhat.com/security/cve/CVE-2023-6918	Mailing List Vendor Advisory
7	https://bugzilla.redhat.com/show_bug.cgi?id=2254997	Issue Tracking Third Party Advisory
8	https://bugzilla.redhat.com/show_bug.cgi?id=2254997	Issue Tracking Third Party Advisory
9	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
10	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
11	https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/	Release Notes
12	https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/	Release Notes
13	https://www.libssh.org/security/advisories/CVE-2023-6918.txt	Vendor Advisory
14	https://www.libssh.org/security/advisories/CVE-2023-6918.txt	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-252	未チェックの戻り値	https://cwe.mitre.org/data/definitions/252.html

JVN Vulnerability Information

libssh の libssh 等複数ベンダの製品における未チェックの戻り値に関する脆弱性

Title	libssh の libssh 等複数ベンダの製品における未チェックの戻り値に関する脆弱性
Summary	libssh の libssh 等複数ベンダの製品には、未チェックの戻り値に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Dec. 19, 2023, midnight
Registration Date	Jan. 30, 2024, 11:12 a.m.
Last Update	Jan. 30, 2024, 11:12 a.m.

Affected System

レッドハット

Red Hat Enterprise Linux 8.0

Red Hat Enterprise Linux 9.0

Fedora Project

Fedora 38

Fedora 39

libssh

libssh 0.10.0 以上 0.10.6 未満

libssh 0.9.0 以上 0.9.8 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2023-6918	https://www.cve.org/CVERecord?id=CVE-2023-6918
National Vulnerability Database (NVD)
2	CVE-2023-6918	https://nvd.nist.gov/vuln/detail/CVE-2023-6918

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-252	https://cwe.mitre.org/data/definitions/252.html

その他

No	Name	URL
関連文書
1	access.redhat.com (CVE-2023-6918)	https://access.redhat.com/security/cve/CVE-2023-6918
2	bugzilla.redhat.com (2254997)	https://bugzilla.redhat.com/show_bug.cgi?id=2254997
3	lists.fedoraproject.org (LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM)	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
4	lists.fedoraproject.org (MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB)	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
5	www.libssh.org (CVE-2023-6918.txt)	https://www.libssh.org/security/advisories/CVE-2023-6918.txt
6	www.libssh.org (libssh-0-10-6-and-libssh-0-9-8-security-releases)	https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/

Change Log

No	Changed Details	Date of change
1	[2024年01月30日] 掲載	Jan. 30, 2024, 11:12 a.m.