CVE-2019-6111

MEDIUMMonitor

Published:Jan 31, 2019(7 years ago)

Modified:Dec 18, 2025

Remote ExploitNo Auth RequiredNo Interaction

Vulnerability Description

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

Attack Characteristics

Network AccessHigh ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
openbsd	openssh	7.9	-
winscp	winscp	5.1.3	-
canonical	ubuntu_linux	-

Timeline

Published
CVE disclosed publicly
Jan 31, 20197 years ago
Last Modified
Most recent update
Dec 18, 20255 months ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058....Broken Link
http://www.openwall.com/lists/oss-security/2019/04/18/1Mailing List
http://www.openwall.com/lists/oss-security/2022/08/02/1Mailing List

CVSS Score

v3.1

5.9/ 10.0

MEDIUM

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

At a Glance

Affected Products

References

openbsd / openssh

http://www.securityfocus.com/bid/106741Broken Link

https://access.redhat.com/errata/RHSA-2019:3702Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1677794Exploit

https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfThird Party Advisory

https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.cRelease Notes

https://lists.apache.org/thread.html/c45d9bc90700354b58fb7455962873c44...

https://lists.apache.org/thread.html/c7301cab36a86825359e1b725fc40304d...

https://lists.apache.org/thread.html/d540139359de999b0f1c87d05b715be4d...

https://lists.apache.org/thread.html/e47597433b351d6e01a5d68d610b4ba19...

https://lists.debian.org/debian-lts-announce/2019/03/msg00030.htmlMailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists...

https://security.gentoo.org/glsa/201903-16Third Party Advisory

https://security.netapp.com/advisory/ntap-20190213-0001/Third Party Advisory

https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txtThird Party Advisory

https://usn.ubuntu.com/3885-1/Third Party Advisory

https://usn.ubuntu.com/3885-2/Third Party Advisory

https://www.debian.org/security/2019/dsa-4387Third Party Advisory

https://www.exploit-db.com/exploits/46193/Exploit

https://www.freebsd.org/security/advisories/FreeBSD-EN-19:10.scp.ascThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-507283...Patch

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058....Broken Link

http://www.openwall.com/lists/oss-security/2019/04/18/1Mailing List

http://www.openwall.com/lists/oss-security/2022/08/02/1Mailing List