CVE-2018-20685
Published: 10 January 2019
In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.
Notes
Author | Note |
---|---|
seth-arnold | openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. |
mdeslaur | The recommended workaround for this issue is to switch to using sftp instead of scp. |
Priority
CVSS 3 base score: 5.3
Status
Package | Release | Status |
---|---|---|
openssh Launchpad, Ubuntu, Debian |
bionic |
Released
(1:7.6p1-4ubuntu0.2)
|
cosmic |
Released
(1:7.7p1-4ubuntu0.2)
|
|
disco |
Released
(1:7.9p1-5)
|
|
eoan |
Released
(1:7.9p1-5)
|
|
focal |
Released
(1:7.9p1-5)
|
|
groovy |
Released
(1:7.9p1-5)
|
|
hirsute |
Released
(1:7.9p1-5)
|
|
impish |
Released
(1:7.9p1-5)
|
|
jammy |
Released
(1:7.9p1-5)
|
|
kinetic |
Released
(1:7.9p1-5)
|
|
precise |
Ignored
(end of ESM support, was needed)
|
|
trusty |
Released
(1:6.6p1-2ubuntu2.12)
|
|
upstream |
Released
(1:7.9p1-5)
|
|
xenial |
Released
(1:7.2p2-4ubuntu2.7)
|
|
Patches: upstream: https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2 upstream: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.197&r2=1.198&f=h |
||
openssh-ssh1 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
cosmic |
Ignored
(reached end-of-life)
|
|
disco |
Ignored
(reached end-of-life)
|
|
eoan |
Ignored
(reached end-of-life)
|
|
focal |
Needs triage
|
|
groovy |
Ignored
(reached end-of-life)
|
|
hirsute |
Ignored
(reached end-of-life)
|
|
impish |
Ignored
(reached end-of-life)
|
|
jammy |
Needs triage
|
|
kinetic |
Needs triage
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Ignored
(frozen on openssh 7.5p)
|
|
xenial |
Does not exist
|