Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2014-0017

The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision.

Published

2014-03-14T15:55:05.603

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 1.9 (LOW)

CVSSv2 Vector

AV:L/AC:M/Au:N/C:P/I:N/A:N

  • Access Vector: LOCAL
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

3.4

Impact Score

2.9

Weaknesses
  • Type: Primary
    CWE-310
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application libssh libssh ≤ 0.6.2 Yes
Application libssh libssh 0.4.7 Yes
Application libssh libssh 0.4.8 Yes
Application libssh libssh 0.5.0 Yes
Application libssh libssh 0.5.0 Yes
Application libssh libssh 0.5.1 Yes
Application libssh libssh 0.5.2 Yes
Application libssh libssh 0.5.3 Yes
Application libssh libssh 0.5.4 Yes
Application libssh libssh 0.5.5 Yes
Application libssh libssh 0.6.0 Yes
Application libssh libssh 0.6.1 Yes
References