{}

{}

{}

{"acknowledgement": "Red Hat would like to thank Martin Grubhofer for reporting this issue.", "bugzilla": {"description": "libssh: libssh: Insecure default configuration leads to local man-in-the-middle attacks on Windows", "id": "2423148", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423148"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-427", "details": ["A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\\etc directory, which can be created and modified by unprivileged local users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-14821", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "libssh", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "libssh2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "libssh2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "libssh", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "libssh", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-02-10T18:51:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-14821\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-14821"], "statement": "This vulnerability is rated Low for Red Hat products. The flaw in libssh is specific to its insecure default configuration on Windows systems, where it loads configuration from the C:\\etc directory. Red Hat's Linux-based products do not utilize this configuration path, and therefore are not affected by this vulnerability.", "threat_severity": "Low"}

{}