CVE-2019-6109

6.8MEDIUM

Key Information:

Vendor
OpenBSD
Status
Openssh
Winscp
Vendor
CVE Published:
31 January 2019

Summary

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

References

https://www.debian.org/security/2019/dsa-4387
vendor-advisory
https://security.netapp.com/advisory/ntap-20190213-0001/
https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.