CVE-2018-1000805
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-1000805 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This flaw is a user authentication bypass in the SSH Server functionality of paramiko (normally used by subclassing paramiko.ServerInterface). Where paramiko is used only for its client-side functionality (e.g. paramiko.SSHClient), the vulnerability is not exposed and thus cannot be exploited.
The following Red Hat products use paramiko only in client-side mode. Server side functionality is not used.
- Red Hat Ceph Storage 2
- Red Hat CloudForms 4
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Virtualization
- Red Hat Gluster Storage 3
- Red Hat Openshift Container Platform
- Red Hat Quick Cloud Installer
- Red Hat Satellite 6
- Red Hat Storage Console 2
- Red Hat OpenStack Platform
- Red Hat Update Infrastructure
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 9.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 (python-paramiko) | RHSA-2018:3347 | 2018-10-30 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | rhvm-appliance | Affected |
| Red Hat Virtualization 4 | redhat-virtualization-host | Affected |
| Red Hat Satellite 6 | python-paramiko | Not affected |
| Red Hat OpenStack Platform 9.0 | python-paramiko | Will not fix |
| Red Hat OpenStack Platform 8.0 (Liberty) | python-paramiko | Will not fix |
| Red Hat OpenStack Platform 12.0 | python-paramiko | Will not fix |
| Red Hat OpenStack Platform 10 | python-paramiko | Will not fix |
| Red Hat OpenShift Enterprise 3.2 | python-paramiko | Affected |
| Red Hat OpenShift Enterprise 3.1 | python-paramiko | Affected |
| Red Hat OpenShift Enterprise 3.0 | python-paramiko | Affected |
| Red Hat OpenShift Container Platform 3.9 | python-paramiko | Affected |
| Red Hat OpenShift Container Platform 3.7 | python-paramiko | Affected |
| Red Hat OpenShift Container Platform 3.6 | python-paramiko | Affected |
| Red Hat OpenShift Container Platform 3.5 | python-paramiko | Affected |
| Red Hat OpenShift Container Platform 3.4 | python-paramiko | Affected |
| Red Hat OpenShift Container Platform 3.3 | python-paramiko | Affected |
| Red Hat Gluster Storage 3 | python-paramiko | Affected |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | python-paramiko | Will not fix |
| Red Hat Enterprise Linux 6 | python-paramiko | Affected |
| Red Hat Ceph Storage 2 | python-paramiko | Affected |
CVE description copyright © 2017, The MITRE Corporation
