{"id":"CVE-2018-1000805","details":"Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.","aliases":["GHSA-f2j6-wrhh-v25m","PYSEC-2018-69"],"modified":"2026-04-11T12:06:27.225310Z","published":"2018-10-08T15:29:00.713Z","related":["SUSE-SU-2019:0174-1","SUSE-SU-2019:0396-1","SUSE-SU-2019:0481-1","SUSE-SU-2020:1274-1","SUSE-SU-2021:0038-1","SUSE-SU-2022:3730-1","openSUSE-SU-2019:0129-1","openSUSE-SU-2024:11249-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"12.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"14.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"16.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"18.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"18.10"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"8.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"9.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"6.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"7.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"6.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"7.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"6.4"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_aus:6.4:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"6.5"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"6.6"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"7.6"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"6.7"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"7.6"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"6.6"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"7.6"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"6.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"7.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*","source":"CPE_FIELD"}]},"references":[{"type":"WEB","url":"https://herolab.usd.de/wp-content/uploads/sites/4/usd20180023.txt"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHBA-2018:3497"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3347"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3406"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3505"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3796-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3796-2/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3796-3/"},{"type":"FIX","url":"https://github.com/paramiko/paramiko/issues/1283"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/paramiko/paramiko","events":[{"introduced":"0"},{"last_affected":"ac3f78648d2f48c3a99bbf0295245954a34ab46d"},{"last_affected":"3a50a3eb09168343af2d06ff7f269d2493af4e0b"},{"last_affected":"30452567c69096ad4aabd159ed3f3ad1ef83ab47"},{"last_affected":"e62f35a71bcc90447f3eee6f5b48f174a7bfb83e"},{"last_affected":"04f0d9fc74f6219d2932252b6ba7d835bb4914ef"},{"last_affected":"c07b6e6b8b94fe8a946a8120c1d1b4039c1fe4f0"},{"last_affected":"8bd1506c816b025b4a74e1b254e4879518ae696d"},{"last_affected":"2f33ea86a3a431a034e343620285377251ce3ba1"},{"last_affected":"aad0370db9fd5c22064a673c9602fc48314eb6f4"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.17.6"},{"last_affected":"1.18.5"},{"last_affected":"2.0.8"},{"last_affected":"2.1.5"},{"last_affected":"2.2.3"},{"last_affected":"2.3.2"},{"last_affected":"2.4.1"},{"last_affected":"3.3"},{"last_affected":"4.0"}],"cpe":["cpe:2.3:a:paramiko:paramiko:1.17.6:*:*:*:*:*:*:*","cpe:2.3:a:paramiko:paramiko:1.18.5:*:*:*:*:*:*:*","cpe:2.3:a:paramiko:paramiko:2.0.8:*:*:*:*:*:*:*","cpe:2.3:a:paramiko:paramiko:2.1.5:*:*:*:*:*:*:*","cpe:2.3:a:paramiko:paramiko:2.2.3:*:*:*:*:*:*:*","cpe:2.3:a:paramiko:paramiko:2.3.2:*:*:*:*:*:*:*","cpe:2.3:a:paramiko:paramiko:2.4.1:*:*:*:*:*:*:*","cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*","cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD"}}],"versions":["1.11.0","1.12.0","1.15.0","1.15.2","1.16.1","1.16.2","1.16.3","1.17.0","1.17.1","1.17.2","1.17.3","1.17.4","1.17.5","1.17.6","1.18.0","1.18.1","1.18.2","1.18.3","1.18.4","1.18.5","1.7.7.1","1.7.7.2","1.8.0","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.7","2.0.8","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.11.0","2.12.0","2.2.0","2.2.1","2.2.3","2.3.0","2.3.1","2.3.2","2.4.0","2.4.1","2.7.0","2.8.0","2.8.1","3.0.0","3.1.0","3.2.0","3.3.0","3.4.0","3.5.0","3.5.1","4.0.0","initial-merge-from-ssh-done","release-1.7.4","release-1.7.5","release-1.7.6","v1.11.0","v1.12.0","v1.15.0","v1.15.2","v1.16.1","v1.16.2","v1.16.3","v1.17.0","v1.17.1","v1.17.2","v1.17.3","v1.18.0","v1.18.1","v1.7.7.1","v1.7.7.2","v1.8.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1000805.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}