CVE-2019-6110

Public on 2019-01-31
Modified on 2024-10-28
Description
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

This CVE is disputed by the upstream OpenSSH project. Amazon Linux does not consider this issue to be a vulnerability. Users are recommended to switch to sftp if possible, and when using scp only connect to trusted systems.
Severity
Medium severity
Medium
CVSS v3 Base Score
5.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 openssh No Fix Planned
Amazon Linux 2 - Core openssh No Fix Planned
Amazon Linux 2023 openssh No Fix Planned

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
NVD CVSSv2 4.0 AV:N/AC:H/Au:N/C:P/I:P/A:N
NVD CVSSv3 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N