CVE-2019-6109

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refreshprogressmeter() in progressmeter.c.

Database specific

{
    "unresolved_ranges": [
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "5.13"
                }
            ],
            "cpe": "cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "14.04"
                }
            ],
            "cpe": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "16.04"
                }
            ],
            "cpe": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "18.04"
                }
            ],
            "cpe": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "18.10"
                }
            ],
            "cpe": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "30"
                }
            ],
            "cpe": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "fixed": "xcp2361"
                },
                {
                    "fixed": "xcp3070"
                }
            ],
            "cpe": "cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "fixed": "xcp2361"
                },
                {
                    "fixed": "xcp3070"
                }
            ],
            "cpe": "cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "fixed": "xcp2361"
                },
                {
                    "fixed": "xcp3070"
                }
            ],
            "cpe": "cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "fixed": "xcp2361"
                },
                {
                    "fixed": "xcp3070"
                }
            ],
            "cpe": "cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "fixed": "xcp2361"
                },
                {
                    "fixed": "xcp3070"
                }
            ],
            "cpe": "cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "fixed": "xcp2361"
                },
                {
                    "fixed": "xcp3070"
                }
            ],
            "cpe": "cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "fixed": "3.2.7"
                }
            ],
            "cpe": "cpe:2.3:o:siemens:scalance_x204rna_eec_firmware:*:*:*:*:*:*:*:*"
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "fixed": "3.2.7"
                }
            ],
            "cpe": "cpe:2.3:o:siemens:scalance_x204rna_firmware:*:*:*:*:*:*:*:*"
        }
    ]
}

References

Affected packages

Git / github.com/openssh/openssh-portable

Affected ranges

Type

GIT

Repo

https://github.com/openssh/openssh-portable

Events

Introduced

Last affected

aede1c34243a6f7feae2fb2cb686ade5f9be6f3d

Last affected

fd0fa130ecf06d7d092932adcd5d77f1549bfc8d

Last affected

94eb6858efecc1b4f02d8a6bd35e149f55c814c8

Last affected

cdf1d0a9f5d18535e0a18ff34860e81a6d83aa5c

Last affected

8aa3455b16fddea4c0144a7c4a1edb10ec67dcc8

Last affected

279261e1ea8150c7c64ab5fe7cb4a4ea17acbb29

Last affected

e86968280e358e62649d268d41f698d64d0dc9fa

Database specific

{
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.9"
        },
        {
            "last_affected": "8.0"
        },
        {
            "last_affected": "9.0"
        },
        {
            "last_affected": "8.1"
        },
        {
            "last_affected": "8.2"
        },
        {
            "last_affected": "8.4"
        },
        {
            "last_affected": "8.6"
        }
    ],
    "cpe": [
        "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
        "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
        "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
        "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
        "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*",
        "cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*",
        "cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*",
        "cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*",
        "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*",
        "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*",
        "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*",
        "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*",
        "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*",
        "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*"
    ]
}

Affected versions

Other

ABOUT_TO_ADD_INET_ATON

AFTER_FREEBSD_PAM_MERGE

AFTER_KRB5_GSSAPI_MERGE

BEFORE_FREEBSD_PAM_MERGE

BEFORE_KRB5_GSSAPI_MERGE

POST_KRB4_REMOVAL

PRE-REORDER

PRE_CYGWIN_MERGE

PRE_DAN_PATCH_MERGE

PRE_FIXPATHS_INTEGRATION

PRE_HPUX_INTEGRATION

PRE_IPV6

PRE_KRB4_REMOVAL

PRE_NEW_LOGIN_CODE

PRE_SW_KRBV

V_1_2PRE17

V_1_2_1_PRE18

V_1_2_1_PRE19

V_1_2_1_PRE20

V_1_2_1_PRE21

V_1_2_1_PRE22

V_1_2_1_PRE23

V_1_2_1_PRE24

V_1_2_1_PRE25

V_1_2_1_PRE26

V_1_2_1_PRE27

V_1_2_2

V_1_2_2_P1

V_1_2_2_PRE28

V_1_2_2_PRE29

V_1_2_3

V_1_2_3_PRE1

V_1_2_3_PRE2

V_1_2_3_PRE3

V_1_2_3_PRE4

V_1_2_3_PRE5

V_1_2_3_TEST1

V_1_2_3_TEST2

V_1_2_3_TEST3

V_1_2_PRE10

V_1_2_PRE11

V_1_2_PRE12

V_1_2_PRE13

V_1_2_PRE14

V_1_2_PRE15

V_1_2_PRE16

V_1_2_PRE4

V_1_2_PRE5

V_1_2_PRE6

V_1_2_PRE7

V_1_2_PRE8

V_1_2_PRE9

V_2_0_0_BETA1

V_2_0_0_BETA2

V_2_0_0_TEST1

V_2_1_0

V_2_1_0_P1

V_2_1_0_P2

V_2_1_0_P3

V_2_1_1_P1

V_2_1_1_P2

V_2_1_1_P3

V_2_1_1_P4

V_2_2_0_P1

V_2_3_0_P1

V_2_5_0_P1

V_2_5_1_P1

V_2_5_1_P2

V_2_5_2_P1

V_3_0_1_P1

V_3_0_P1

V_3_1_P1

V_3_2_2_P1

V_3_4_P1

V_3_6_1_P1

V_3_8_P1

V_3_9_P1

V_4_2_P1

V_5_0_P1

V_5_1_P1

V_5_2_P1

V_5_5_P1

V_5_7_P1

V_6_0_P1

V_6_1_P1

V_6_2_P1

V_6_5_P1

V_6_6_P1

V_6_8_P1

V_6_9_P1

V_7_0_P1

V_7_1_P1

V_7_2_P1

V_7_3_P1

V_7_4_P1

V_7_5_P1

V_7_6_P1

V_7_7_P1

V_7_8_P1

V_7_9_P1

V_8_0_P1

V_8_1_P1

V_8_2_P1

V_8_4_P1

V_8_5_P1

V_8_6_P1

V_8_7_P1

V_8_8_P1

V_8_9_P1

V_9_0_P1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-6109.json"