CVE-2019-6110 : In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

Published 2019-01-31 18:29:01

Updated 2023-02-23 23:29:27

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2019-6110

Openbsd » Openssh
Versions up to, including, (<=) 7.9
cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
Matching versions
Siemens » Scalance X204rna Firmware
Versions before (<) 3.2.7
cpe:2.3:o:siemens:scalance_x204rna_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Siemens » Scalance X204rna » Version: N/A
Siemens » Scalance X204rna Eec Firmware
Versions before (<) 3.2.7
cpe:2.3:o:siemens:scalance_x204rna_eec_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Siemens » Scalance X204rna Eec » Version: N/A
Winscp » Winscp
Versions up to, including, (<=) 5.13
cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:*
Matching versions
Netapp » Element Software » Version: N/A
cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
Matching versions
Netapp » Ontap Select Deploy » Version: N/A
cpe:2.3:a:netapp:ontap_select_deploy:-:*:*:*:*:*:*:*
Matching versions
Netapp » Storage Automation Store » Version: N/A
cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2019-6110

Top countries where our scanners detected CVE-2019-6110

Top open port discovered on systems with this issue 22

IPs affected by CVE-2019-6110 24,878,531

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2019-6110!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2019-6110

EPSS FAQ

54.87%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 98 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-6110

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:H/Au:N/C:P/I:P/A:N	4.9	4.9	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
6.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N	1.6	5.2	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2019-6110

CWE-838 Inappropriate Encoding for Output Context

The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-6110

https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c

CVS log for src/usr.bin/ssh/scp.c
Release Notes

CVEs referencing this url
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20190213-0001/

January 2019 OpenSSH Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/201903-16

OpenSSH: Multiple vulnerabilities (GLSA 201903-16) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://www.exploit-db.com/exploits/46193/

SCP Client - Multiple Vulnerabilities (SSHtranger Things)
Exploit;Third Party Advisory;VDB Entry

CVEs referencing this url
https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c

CVS log for src/usr.bin/ssh/progressmeter.c
Release Notes

CVEs referencing this url
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf

Patch;Third Party Advisory

CVEs referencing this url

Jump to