CVE-2019-6109

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This af...

medium 6.8 CVSS 3.1

Published: Jan 31, 2019

Modified: May 28, 2026

Vendor: Openbsd

Product: Openssh

Versions: 14.04,16.04,18.04,18.10,8.0,9.0,30,8.1,8.2,8.4

Description

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

References

Related CVEs

CVSS Breakdown

Version	3.1
Score	6.8 / 10
Severity	medium

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Weakness (CWE)

CWE-116

Affected Product

Vendor	Openbsd
Product	Openssh
Versions	14.04,16.04,18.04,18.10,8.0,9.0,30,8.1,8.2,8.4