GHSA-232r-66cg-79px · Severity: critical · Ecosystem: pip — Paramiko not properly checking authentication before processing other requests
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
Conclusion & alert: CVE-2018-7750 is rated High Exploit Risk (93.4/100): CVSS Critical severity, with high exploitation likelihood (EPSS 27.07%, 98th percentile). Core evidence: 2 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +9.38% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| 45712 | exploit_db | edb | 2018-10-29 | Exploit-DB ↗ |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 17.69% | 27.07% | +9.38% |
| 2 | 2026-06-09 | 13.83% | 17.69% | +3.86% |
| 3 | 2026-04-13 | — | 13.83% | — |
Full EPSS history (34 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
GHSA-232r-66cg-79px · Severity: critical · Ecosystem: pip — Paramiko not properly checking authentication before processing other requests
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
critical | CVE-2018-7750: 1 source package rows (py3-paramiko); 10 state rows across 10 repos (3.11-main, 3.12-main, 3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community, edge-main); fixed 10, open 0. | https://security.alpinelinux.org/vuln/CVE-2018-7750 |
debian
|
not yet assigned | CVE-2018-7750 not yet assigned priority: Debian including 1 source packages (paramiko), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2018-7750 |
redhat
|
critical | — | https://access.redhat.com/security/cve/CVE-2018-7750 |
suse
|
high | CVE-2018-7750 severity important: SUSE including 254 source package names (amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, amazon/suse-sles-15-sp1-chost-byos-v20220127-hvm-ssd-x86_64, …), 276 product×package rows across 32 product lines (HPE Helion OpenStack 8, Image SLES12-SP5-EC2-BYOS, … (32 product lines)): Known Affected 231, Fixed 28, Known Not Affected 17. | https://www.suse.com/security/cve/CVE-2018-7750/ |
ubuntu
|
high | CVE-2018-7750 high priority: Ubuntu including 1 source packages (paramiko), 4 status rows across 4 suites (artful, trusty, upstream, xenial): released 3, needs-triage 1. | https://ubuntu.com/security/CVE-2018-7750 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| paramiko | paramiko | < 1.17.6 | cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:* |
| paramiko | paramiko | >= 1.18.0, < 1.18.5 | cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:* |
| paramiko | paramiko | >= 2.0.0, < 2.0.8 | cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:* |
| paramiko | paramiko | >= 2.1.0, < 2.1.5 | cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:* |
| paramiko | paramiko | >= 2.2.0, < 2.2.3 | cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:* |
| paramiko | paramiko | >= 2.3.0, < 2.3.2 | cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:* |
| paramiko | paramiko | 2.4.0 | cpe:2.3:a:paramiko:paramiko:2.4.0:*:*:*:*:*:*:* |
| redhat | ansible_engine | 2.0 | cpe:2.3:a:redhat:ansible_engine:2.0:*:*:*:*:*:*:* |
| redhat | ansible_engine | 2.4 | cpe:2.3:a:redhat:ansible_engine:2.4:*:*:*:*:*:*:* |
| redhat | cloudforms | 4.5 | cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:* |
| redhat | cloudforms | 4.6 | cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:* |
| redhat | virtualization | 4.1 | cpe:2.3:a:redhat:virtualization:4.1:*:*:*:*:*:*:* |
| redhat | enterprise_linux_desktop | 6.0 | cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server | 6.0 | cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server | 7.0 | cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server_aus | 6.4 | cpe:2.3:o:redhat:enterprise_linux_server_aus:6.4:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server_aus | 6.5 | cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server_aus | 6.6 | cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server_eus | 6.7 | cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server_tus | 6.6 | cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:* |
| redhat | enterprise_linux_workstation | 6.0 | cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:* |
| debian | debian_linux | 8.0 | cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |