{"url":"http://public2.vulnerablecode.io/api/packages/56098?format=json","purl":"pkg:pypi/paramiko@2.3.0","type":"pypi","namespace":"","name":"paramiko","version":"2.3.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.3.2","latest_non_vulnerable_version":"3.4.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35186?format=json","vulnerability_id":"VCID-mfvw-qzb9-8bax","summary":"transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:0591","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:0591"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:0646","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:0646"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1124","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:1124"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1125","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:1125"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1213","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:1213"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1274","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:1274"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1328","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:1328"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1525","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:1525"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1972","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:1972"},{"reference_url":"https://github.com/advisories/GHSA-232r-66cg-79px","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-232r-66cg-79px"},{"reference_url":"https://github.com/paramiko/paramiko","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/paramiko/paramiko"},{"reference_url":"https://github.com/paramiko/paramiko/blob/e861c7697622774071ce73b46ffe8817eacdedfa/sites/www/changelog.rst?plain=1#L759-L763","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/paramiko/paramiko/blob/e861c7697622774071ce73b46ffe8817eacdedfa/sites/www/changelog.rst?plain=1#L759-L763"},{"reference_url":"https://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rst","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rst"},{"reference_url":"https://github.com/paramiko/paramiko/commit/e9dfd854bdaf8af15d7834f7502a0451d217bb8c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/paramiko/paramiko/commit/e9dfd854bdaf8af15d7834f7502a0451d217bb8c"},{"reference_url":"https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516"},{"reference_url":"https://github.com/paramiko/paramiko/issues/1175","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/paramiko/paramiko/issues/1175"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2018-19.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2018-19.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html"},{"reference_url":"https://usn.ubuntu.com/3603-1","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3603-1"},{"reference_url":"https://usn.ubuntu.com/3603-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3603-1/"},{"reference_url":"https://usn.ubuntu.com/3603-2","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3603-2"},{"reference_url":"https://usn.ubuntu.com/3603-2/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3603-2/"},{"reference_url":"https://web.archive.org/web/20190831123128/http://www.securityfocus.com/bid/103713","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20190831123128/http://www.securityfocus.com/bid/103713"},{"reference_url":"https://www.exploit-db.com/exploits/45712","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/45712"},{"reference_url":"https://www.exploit-db.com/exploits/45712/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/45712/"},{"reference_url":"http://www.securityfocus.com/bid/103713","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/103713"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7750","reference_id":"CVE-2018-7750","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7750"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/10784?format=json","purl":"pkg:pypi/paramiko@2.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/paramiko@2.3.2"},{"url":"http://public2.vulnerablecode.io/api/packages/56100?format=json","purl":"pkg:pypi/paramiko@2.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/paramiko@2.4.1"}],"aliases":["CVE-2018-7750","GHSA-232r-66cg-79px","PYSEC-2018-19"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mfvw-qzb9-8bax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35270?format=json","vulnerability_id":"VCID-qrh9-bxde-fqau","summary":"Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.","references":[{"reference_url":"https://access.redhat.com/errata/RHBA-2018:3497","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHBA-2018:3497"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:3347","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:3347"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:3406","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:3406"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:3505","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:3505"},{"reference_url":"https://github.com/advisories/GHSA-f2j6-wrhh-v25m","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f2j6-wrhh-v25m"},{"reference_url":"https://github.com/paramiko/paramiko","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/paramiko/paramiko"},{"reference_url":"https://github.com/paramiko/paramiko/issues/1283","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/paramiko/paramiko/issues/1283"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2018-69.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2018-69.yaml"},{"reference_url":"https://herolab.usd.de/wp-content/uploads/sites/4/usd20180023.txt","reference_id":"","reference_type":"","scores":[],"url":"https://herolab.usd.de/wp-content/uploads/sites/4/usd20180023.txt"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html"},{"reference_url":"https://usn.ubuntu.com/3796-1","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3796-1"},{"reference_url":"https://usn.ubuntu.com/3796-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3796-1/"},{"reference_url":"https://usn.ubuntu.com/3796-2","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3796-2"},{"reference_url":"https://usn.ubuntu.com/3796-2/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3796-2/"},{"reference_url":"https://usn.ubuntu.com/3796-3","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3796-3"},{"reference_url":"https://usn.ubuntu.com/3796-3/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3796-3/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000805","reference_id":"CVE-2018-1000805","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000805"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56534?format=json","purl":"pkg:pypi/paramiko@2.3.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/paramiko@2.3.3"},{"url":"http://public2.vulnerablecode.io/api/packages/56533?format=json","purl":"pkg:pypi/paramiko@2.4.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/paramiko@2.4.2"}],"aliases":["CVE-2018-1000805","GHSA-f2j6-wrhh-v25m","PYSEC-2018-69"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qrh9-bxde-fqau"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/paramiko@2.3.0"}