CVE-2019-6110
Public on 2019-01-31
Modified on 2024-10-28
Description
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
This CVE is disputed by the upstream OpenSSH project. Amazon Linux does not consider this issue to be a vulnerability. Users are recommended to switch to sftp if possible, and when using scp only connect to trusted systems.
This CVE is disputed by the upstream OpenSSH project. Amazon Linux does not consider this issue to be a vulnerability. Users are recommended to switch to sftp if possible, and when using scp only connect to trusted systems.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | openssh | No Fix Planned | ||
| Amazon Linux 2 - Core | openssh | No Fix Planned | ||
| Amazon Linux 2023 | openssh | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N |
| NVD | CVSSv2 | 4.0 | AV:N/AC:H/Au:N/C:P/I:P/A:N |
| NVD | CVSSv3 | 6.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |