Improper Encoding or Escaping of Output in openssh

Do your applications use this vulnerable package? Test your applications

Overview

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

References

CVE Details
Debian Security Advisory
Debian Security Announcement
Debian Security Tracker
Fedora Security Update
Gentoo Security Advisory
MISC
MISC
MISC
MISC
Netapp Security Advisory
REDHAT
SUSE
Ubuntu CVE Tracker
Ubuntu Security Advisory

Attack Vector

Network
Attack Complexity

High
Privileges Required

None
User Interaction

Required
Scope

Unchanged
Confidentiality

High
Integrity

High
Availability

None

CVE: CVE-2019-6109
CWE: CWE-116
Snyk ID: SNYK-DEBIAN9-OPENSSH-368589
Disclosed: 31 Jan, 2019
Published: 15 Jan, 2019

Improper Encoding or Escaping of Output
Affecting openssh package, versions <1:7.4p1-10+deb9u5

Overview

References

CVSS Score

Improper Encoding or Escaping of Output Affecting openssh package, versions <1:7.4p1-10+deb9u5

Overview

References

Improper Encoding or Escaping of Output
Affecting openssh package, versions <1:7.4p1-10+deb9u5