4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
0.002 Low
EPSS
Percentile
59.9%
An issue was discovered in OpenSSH 7.9. Due to missing character encoding
in the progress display, a malicious server (or Man-in-The-Middle attacker)
can employ crafted object names to manipulate the client output, e.g., by
using ANSI control codes to hide additional files being transferred. This
affects refresh_progress_meter() in progressmeter.c.
Author | Note |
---|---|
seth-arnold | openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. |
mdeslaur | The recommended workaround for this issue is to switch to using sftp instead of scp. The updates in USN-3885-1 inverted two CVE numbers by accident. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | openssh | < 1:7.6p1-4ubuntu0.2 | UNKNOWN |
ubuntu | 18.10 | noarch | openssh | < 1:7.7p1-4ubuntu0.2 | UNKNOWN |
ubuntu | 19.04 | noarch | openssh | < 1:7.9p1-6 | UNKNOWN |
ubuntu | 19.10 | noarch | openssh | < 1:7.9p1-6 | UNKNOWN |
ubuntu | 20.04 | noarch | openssh | < 1:7.9p1-6 | UNKNOWN |
ubuntu | 20.10 | noarch | openssh | < 1:7.9p1-6 | UNKNOWN |
ubuntu | 21.04 | noarch | openssh | < 1:7.9p1-6 | UNKNOWN |
ubuntu | 21.10 | noarch | openssh | < 1:7.9p1-6 | UNKNOWN |
ubuntu | 22.04 | noarch | openssh | < 1:7.9p1-6 | UNKNOWN |
ubuntu | 22.10 | noarch | openssh | < 1:7.9p1-6 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2019-6109
lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037459.html
nvd.nist.gov/vuln/detail/CVE-2019-6109
security-tracker.debian.org/tracker/CVE-2019-6109
sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
ubuntu.com/security/notices/USN-3885-1
www.cve.org/CVERecord?id=CVE-2019-6109
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
0.002 Low
EPSS
Percentile
59.9%