Vulnerability Details : CVE-2018-20685

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

Published 2019-01-10 21:29:00

Updated 2023-02-23 23:15:18

Source MITRE

View at NVD, CVE.org

Threat overview for CVE-2018-20685

Top countries where our scanners detected CVE-2018-20685

Top open port discovered on systems with this issue 22

IPs affected by CVE-2018-20685 19,954,693

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2018-20685!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2018-20685

Probability of exploitation activity in the next 30 days: 0.71%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 78 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2018-20685

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
2.6	LOW	AV:N/AC:H/Au:N/C:N/I:P/A:N	4.9	2.9	nvd@nist.gov
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N	1.6	3.6	nvd@nist.gov
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2018-20685

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-20685

https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Patch;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Page not found | Oracle
Patch;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/201903-16

OpenSSH: Multiple vulnerabilities (GLSA 201903-16) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.197&r2=1.198&f=h

src/usr.bin/ssh/scp.c - diff - 1.198
Patch
https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2

upstream: disallow empty incoming filename or ones that refer to the · openssh/openssh-portable@6010c03 · GitHub
Patch
https://security.gentoo.org/glsa/202007-53

Dropbear: Multiple vulnerabilities (GLSA 202007-53) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Oracle Critical Patch Update - April 2019
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20190215-0001/

CVE-2018-20685 OpenSSH Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3702

RHSA-2019:3702 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/3885-1/

USN-3885-1: OpenSSH vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf

Patch;Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/106531

OpenSSH CVE-2018-20685 Access Bypass Vulnerability
Broken Link
https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html

[SECURITY] [DLA 1728-1] openssh security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2019/dsa-4387

Debian -- Security Information -- DSA-4387-1 openssh
Third Party Advisory

CVEs referencing this url

Products affected by CVE-2018-20685

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.1
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.2
cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.4
cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.6
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 8.2
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 8.4
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 8.6
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 8.2
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 8.4
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 8.6
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
Matching versions
Oracle » Solaris » Version: 10
cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*
Matching versions
Openbsd » Openssh
Versions up to, including, (<=) 7.9
cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
Matching versions
Siemens » Scalance X204rna Firmware
Versions before (<) 3.2.7
cpe:2.3:o:siemens:scalance_x204rna_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Siemens » Scalance X204rna » Version: N/A
Siemens » Scalance X204rna Eec Firmware
Versions before (<) 3.2.7
cpe:2.3:o:siemens:scalance_x204rna_eec_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Siemens » Scalance X204rna Eec » Version: N/A
Fujitsu » M10-1 Firmware
Versions before (<) xcp2361
cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-1 » Version: N/A
Fujitsu » M10-1 Firmware
Versions before (<) xcp3070
cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-1 » Version: N/A
Fujitsu » M10-4 Firmware
Versions before (<) xcp3070
cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-4 » Version: N/A
Fujitsu » M10-4 Firmware
Versions before (<) xcp2361
cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-4 » Version: N/A
Fujitsu » M10-4s Firmware
Versions before (<) xcp3070
cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-4s » Version: N/A
Fujitsu » M10-4s Firmware
Versions before (<) xcp2361
cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-4s » Version: N/A
Fujitsu » M12-1 Firmware
Versions before (<) xcp3070
cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-1 » Version: N/A
Fujitsu » M12-1 Firmware
Versions before (<) xcp2361
cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-1 » Version: N/A
Fujitsu » M12-2 Firmware
Versions before (<) xcp2361
cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-2 » Version: N/A
Fujitsu » M12-2 Firmware
Versions before (<) xcp3070
cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-2 » Version: N/A
Fujitsu » M12-2s Firmware
Versions before (<) xcp3070
cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-2s » Version: N/A
Fujitsu » M12-2s Firmware
Versions before (<) xcp2361
cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-2s » Version: N/A
Winscp » Winscp
Versions up to, including, (<=) 5.13
cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.10
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Element Software » Version: N/A
cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
Matching versions
Netapp » Ontap Select Deploy » Version: N/A
cpe:2.3:a:netapp:ontap_select_deploy:-:*:*:*:*:*:*:*
Matching versions
Netapp » Steelstore Cloud Integrated Storage » Version: N/A
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
Matching versions
Netapp » Storage Automation Store » Version: N/A
cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*
Matching versions