CVE-2019-6110

Exploit

EPSS 45.17%
Published 31.01.2019 18:29:00
Last modified 21.11.2024 04:45:57
Source cve@mitre.org
Teams watchlist Login
Open Login

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

Affected products Warnungen 0 Metrics 3 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Openbsd ≫ Openssh Version <= 7.9

WinSCP ≫ WinSCP Version <= 5.13

Netapp ≫ Element Software Version-

Netapp ≫ Ontap Select Deploy Version-

Netapp ≫ Storage Automation Store Version-

Siemens ≫ Scalance X204rna Firmware Version < 3.2.7

Siemens ≫ Scalance X204rna Version-

Siemens ≫ Scalance X204rna Eec Firmware Version < 3.2.7

Siemens ≫ Scalance X204rna Eec Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	45.17%	0.975

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.8	1.6	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
nvd@nist.gov	4	4.9	4.9	AV:N/AC:H/Au:N/C:P/I:P/A:N

CWE-838 Inappropriate Encoding for Output Context

The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.

https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf

Patch

Third Party Advisory

https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Third Party Advisory

https://security.gentoo.org/glsa/201903-16

Third Party Advisory

https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c

Release Notes

https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c

Release Notes

https://security.netapp.com/advisory/ntap-20190213-0001/