{"uuid": "7a1ff36c-c08d-4a81-be24-e62c4ede63b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2019-16905", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/12371", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2019-16905\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.\n\ud83d\udccf Published: 2019-10-09T00:00:00.000Z\n\ud83d\udccf Modified: 2025-04-17T20:59:26.573Z\n\ud83d\udd17 References:\n1. https://www.openssh.com/releasenotes.html\n2. https://www.openwall.com/lists/oss-security/2019/10/09/1\n3. https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c.diff?r1=1.5&r2=1.6&f=h\n4. https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey-xmss.c\n5. https://bugzilla.suse.com/show_bug.cgi?id=1153537\n6. https://ssd-disclosure.com/archives/4033/ssd-advisory-openssh-pre-auth-xmss-integer-overflow\n7. https://security.netapp.com/advisory/ntap-20191024-0003/\n8. https://security.gentoo.org/glsa/201911-01\n9. https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf", "creation_timestamp": "2025-04-17T21:58:32.000000Z"}