What is GHSA-232r-66cg-79px?

GHSA-232r-66cg-79px is a security advisory published by GitHub Security Advisories with Critical severity. Paramiko not properly checking authentication before processing other requests

Which CVE IDs does GHSA-232r-66cg-79px cover?

GHSA-232r-66cg-79px covers the following CVE IDs: CVE-2018-7750. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-232r-66cg-79px?

GHSA-232r-66cg-79px has a CVSS v3 base score of 9.8, published by GitHub Security Advisories.

Which products are affected by GHSA-232r-66cg-79px?

GHSA-232r-66cg-79px affects 7 products, including: pip/paramiko:\u003e= 2.0.0, \u003c 2.0.8; pip/paramiko:\u003e= 2.1.0, \u003c 2.1.5; pip/paramiko:\u003e= 2.2.0, \u003c 2.2.3; pip/paramiko:\u003e= 2.3.0, \u003c 2.3.2; pip/paramiko:= 2.4.0; and others — see the full list on the advisory page.

GHSA-232r-66cg-79pxCriticalCVSS 9.8

Paramiko not properly checking authentication before processing other requests

Vendor

GitHub Security Advisories

Published

July 12, 2018

Last Modified

June 9, 2026

🔗 CVE IDs covered (1)

CVE-2018-7750 →

📋 Description

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.

🎯 Affected products7

pip/paramiko:>= 2.0.0, < 2.0.8
pip/paramiko:>= 2.1.0, < 2.1.5
pip/paramiko:>= 2.2.0, < 2.2.3
pip/paramiko:>= 2.3.0, < 2.3.2
pip/paramiko:= 2.4.0
pip/paramiko:>= 1.18.0, < 1.18.5
pip/paramiko:< 1.17.6

🔗 References (24)

https://nvd.nist.gov/vuln/detail/CVE-2018-7750
https://github.com/paramiko/paramiko/issues/1175
https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516
https://access.redhat.com/errata/RHSA-2018:0591
https://access.redhat.com/errata/RHSA-2018:0646
https://access.redhat.com/errata/RHSA-2018:1124
https://access.redhat.com/errata/RHSA-2018:1125
https://access.redhat.com/errata/RHSA-2018:1213
https://access.redhat.com/errata/RHSA-2018:1274
https://access.redhat.com/errata/RHSA-2018:1328
https://access.redhat.com/errata/RHSA-2018:1525
https://access.redhat.com/errata/RHSA-2018:1972
https://github.com/advisories/GHSA-232r-66cg-79px
https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html
https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html
https://github.com/paramiko/paramiko/commit/e9dfd854bdaf8af15d7834f7502a0451d217bb8c
https://github.com/paramiko/paramiko/blob/e861c7697622774071ce73b46ffe8817eacdedfa/sites/www/changelog.rst?plain=1#L759-L763
https://web.archive.org/web/20190831123128/http://www.securityfocus.com/bid/103713
https://www.exploit-db.com/exploits/45712
https://usn.ubuntu.com/3603-2
https://usn.ubuntu.com/3603-1
https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2018-19.yaml
https://github.com/paramiko/paramiko/blob/master/sites/www/changelog.rst
http://www.securityfocus.com/bid/103713