CVE-2019-6111

Published: Jan 31, 2019Modified: Dec 18, 2025

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

Affected (41)

Products: Openbsd: Openssh · Winscp: Winscp · Canonical: Ubuntu Linux · +7 more

Show all products

1 product

1 product

1 product

1 product

4 products

Enterprise Linux Server Aus

Enterprise Linux Server Tus

1 product

1 product

1 product

6 products

2 products

Scalance X204rna Firmware

Scalance X204rna Eec Firmware

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Openbsd Openssh	Up to 7.9
Winscp Winscp	Up to 5.1.3

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 18.10

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration D

12 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux	Version 8.0
Redhat Enterprise Linux Eus	Version 8.1
Redhat Enterprise Linux Eus	Version 8.2
Redhat Enterprise Linux Eus	Version 8.4
Redhat Enterprise Linux Eus	Version 8.6
Redhat Enterprise Linux Server Aus	Version 8.2
Redhat Enterprise Linux Server Aus	Version 8.4
Redhat Enterprise Linux Server Aus	Version 8.6
Redhat Enterprise Linux Server Tus	Version 8.2
Redhat Enterprise Linux Server Tus	Version 8.4
Redhat Enterprise Linux Server Tus	Version 8.6

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 30

Configuration F

1 vulnerable

Vulnerable Software	Affected Versions
Apache Mina Sshd	Version 2.2.0

Configuration G

5 vulnerable

Vulnerable Software	Affected Versions
Freebsd Freebsd	Before 12.0
Freebsd Freebsd	Version 12.0
Freebsd Freebsd	Version 12.0 p1
Freebsd Freebsd	Version 12.0 p2
Freebsd Freebsd	Version 12.0 p3

Configuration H

1 vulnerable

Vulnerable Software	Affected Versions
Fujitsu M10 1 Firmware	Before xcp2361

Configuration I

1 vulnerable

Vulnerable Software	Affected Versions
Fujitsu M10 4 Firmware	Before xcp2361

Configuration J

1 vulnerable

Vulnerable Software	Affected Versions
Fujitsu M10 4s Firmware	Before xcp2361

Configuration K

1 vulnerable

Vulnerable Software	Affected Versions
Fujitsu M12 1 Firmware	Before xcp2361

Configuration L

1 vulnerable

Vulnerable Software	Affected Versions
Fujitsu M12 2 Firmware	Before xcp2361

Configuration M

1 vulnerable

Vulnerable Software	Affected Versions
Fujitsu M12 2s Firmware	Before xcp2361

Configuration N

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu M10 1 Firmware	Before xcp3070

Running on/with	Platform Versions
Fujitsu M10 1	All versions

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu M10 4 Firmware	Before xcp3070

Running on/with	Platform Versions
Fujitsu M10 4	All versions

Configuration P

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu M10 4s Firmware	Before xcp3070

Running on/with	Platform Versions
Fujitsu M10 4s	All versions

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu M12 1 Firmware	Before xcp3070

Running on/with	Platform Versions
Fujitsu M12 1	All versions

Configuration R

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu M12 2 Firmware	Before xcp3070

Running on/with	Platform Versions
Fujitsu M12 2	All versions

Configuration S

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu M12 2s Firmware	Before xcp3070

Running on/with	Platform Versions
Fujitsu M12 2s	All versions

Configuration T

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Siemens Scalance X204rna Firmware	Before 3.2.7

Running on/with	Platform Versions
Siemens Scalance X204rna	All versions

Configuration U

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Siemens Scalance X204rna Eec Firmware	Before 3.2.7

Running on/with	Platform Versions
Siemens Scalance X204rna Eec	All versions

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (46)

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.html

Source: cve@mitre.org

Broken Link

http://www.openwall.com/lists/oss-security/2019/04/18/1

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2022/08/02/1

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/106741

Source: cve@mitre.org

Broken LinkThird Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2019:3702

Source: cve@mitre.org

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1677794

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf

Source: cve@mitre.org

Third Party Advisory

https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c

Source: cve@mitre.org

Release Notes

https://lists.apache.org/thread.html/c45d9bc90700354b58fb7455962873c44229841880dcb64842fa7d23%40%3Cdev.mina.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/c7301cab36a86825359e1b725fc40304d1df56dc6d107c1fe885148b%40%3Cdev.mina.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/d540139359de999b0f1c87d05b715be4d7d4bec771e1ae55153c5c7a%40%3Cdev.mina.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/e47597433b351d6e01a5d68d610b4ba195743def9730e49561e8cf3f%40%3Cdev.mina.apache.org%3E

Source: cve@mitre.org

https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G/

Source: cve@mitre.org

https://security.gentoo.org/glsa/201903-16

Source: cve@mitre.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20190213-0001/

Source: cve@mitre.org

Third Party Advisory

https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Source: cve@mitre.org

Third Party Advisory

https://usn.ubuntu.com/3885-1/

Source: cve@mitre.org

Third Party Advisory

https://usn.ubuntu.com/3885-2/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2019/dsa-4387

Source: cve@mitre.org

Third Party Advisory

https://www.exploit-db.com/exploits/46193/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://www.freebsd.org/security/advisories/FreeBSD-EN-19:10.scp.asc

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: cve@mitre.org

PatchThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.html