Improper Encoding or Escaping of Output

Affecting openssh package, versions <1:7.4p1-10+deb9u5

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

References

CVSS Score

6.8
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CVE
CVE-2019-6109
CWE
CWE-116
Snyk ID
SNYK-DEBIAN9-OPENSSH-368589
Disclosed
31 Jan, 2019
Published
15 Jan, 2019