CVE-2020-15778

High CVSS 7.4

Overview

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

CWE: CWE-78 Published: 2020-07-24T14:15:12.450

Risk analysis

This vulnerability is rated 🟠 HIGH.

CVSS: 7.4 (HIGH)
Detected tags: command_injection (tag impact: LOW)

Recommended actions:

Prioritize remediation based on business criticality and exposure.
Limit exposure and increase monitoring until fixed.

Overview

Recommended tools

Tags