Home > Vulnerability Database > CVE-2023-3603

Mend.io Vulnerability Database

CVE-2023-3603

Date: July 21, 2023

A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users. Given this code is not in any released versions, no security releases have been issued.

Language: C

Severity Score

6.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-3603

Url: https://access.redhat.com/security/cve/CVE-2023-3603

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2221791

Url: https://git.libssh.org/projects/libssh.git/commit/?id=fe80f47b0ae8902d229ef9b8a1b4fa949b92e720

Url: https://www.mend.io/vulnerability-database/CVE-2023-3603

Severity Score

6.5

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-3603

Date: July 21, 2023

Language: C

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?