In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
References
Link | Resource |
---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf | Patch Third Party Advisory |
https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c | Release Notes |
https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c | Release Notes |
https://security.gentoo.org/glsa/201903-16 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20190213-0001/ | Third Party Advisory |
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt | Third Party Advisory |
https://www.exploit-db.com/exploits/46193/ | Exploit Third Party Advisory VDB Entry |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-01-31T00:00:00
Updated: 2022-12-13T00:00:00
Reserved: 2019-01-10T00:00:00
Link: CVE-2019-6110
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-01-31T18:29:00.807
Modified: 2023-02-23T23:29:26.993
Link: CVE-2019-6110
JSON object: View
Redhat Information
No data.
CWE