Arbitrary Output Manipulation in OpenSSH Client - OpenBSD
CVE-2019-6110

6.8MEDIUM

Key Information:

Vendor: OpenBSD
Status: Openssh; Winscp
Vendor: CVE Published:; 31 January 2019

Summary

OpenSSH 7.9 is susceptible to an issue where it accepts and displays arbitrary stderr output from a connected server. This flaw allows a malicious server or a Man-in-the-Middle (MitM) attacker to manipulate the output experienced by the client. An attacker can employ ANSI control codes to obscure vital information, such as the presence of additional files being transferred, potentially leading to unauthorized data exposure and manipulation.

References

https://security.netapp.com/advisory/ntap-20190213-0001/

https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c

https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 31, 2019
Vulnerability Reserved
Jan 10, 2019