Incorrect Authorization Affecting openssh package, versions <1:7.9p1-5
Snyk CVSS
Attack Complexity
High
User Interaction
Required
Integrity
High
Threat Intelligence
EPSS
0.69% (80th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-OPENSSH-523305
- published 10 Jan 2019
- disclosed 10 Jan 2019
Introduced: 10 Jan 2019
CVE-2018-20685 Open this link in a new tabHow to fix?
Upgrade Debian:11
openssh
to version 1:7.9p1-5 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssh
package and not the openssh
package as distributed by Debian
.
See How to fix?
for Debian:11
relevant fixed versions and status.
In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.
References
- ADVISORY
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- GENTOO
- Gentoo Security Advisory
- GitHub Commit
- MISC
- MISC
- Netapp Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- REDHAT
- RedHat Bugzilla Bug
- Security Focus
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- cve@mitre.org