{
  "threat_severity" : "Low",
  "public_date" : "2020-07-30T00:00:00Z",
  "bugzilla" : {
    "description" : "libssh: NULL pointer dereference in sftpserver.c if ssh_buffer_new returns NULL",
    "id" : "1862456",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1862456"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.", "A flaw was found in libssh. A NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL." ],
  "statement" : "libssh2 as shipped with Red Hat Enterprise Linux 6, 7, and 8 are NOT affected by this flaw; libssh2 and libssh are different codebases and libssh2 does not contain the vulnerable code. Red Hat Product Security has set the impact of this flaw to Low because there is no demonstrated way for an attacker to reliably force a NULL pointer dereference via a code path in the affected libssh code.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4387",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "libssh-0:0.9.4-3.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4387",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "libssh-0:0.9.4-3.el8"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-19T00:00:00Z",
    "advisory" : "RHSA-2021:4750",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
    "package" : "redhat-virtualization-host-0:4.4.9-202111172338_8.5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "libssh2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "libssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "libssh2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "libssh2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-16135\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-16135\nhttps://bugs.gentoo.org/734624" ],
  "name" : "CVE-2020-16135",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}