When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of ssh_scp_new(), it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.
Upstream bug: https://bugs.libssh.org/T181
Acknowledgments: Name: libssh project Upstream: Cure53
External References: https://www.libssh.org/security/advisories/CVE-2019-14889.txt
Created libssh tracking bugs for this issue: Affects: epel-all [bug 1781781] Affects: fedora-all [bug 1781780]
Upstream patchset: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.8&id=4aea835974996b2deb011024c53f4ff4329a95b5 https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.8&id=82c375b7c99141a5495e62060e0b7f9c97981e7e https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.8&id=2ba1dea5493fb2f5a5be2dd263ce46ccb5f8ec76 https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.8&id=391c78de9d0f7baec3a44d86a76f4e1324eb9529 https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.8&id=b0edec4e8d01ad73b0d26ad4070d7e1a1e86dfc8
Statement: Red Hat Virtualization only uses libssh for client-side, not server-side where this vulnerability is present.
The bug is a client side but, however I'm sure they don't use scp ;-)
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4545 https://access.redhat.com/errata/RHSA-2020:4545
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14889