CVSS: 5.3EPSS: 2%CPEs: 5EXPL: 2CVE-2016-20012
https://notcve.org/view.php?id=CVE-2016-20012
OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product ** EN DISPTUTA ** OpenSSH versiones hasta 8.7, permite a atacantes remotos, que presentan la sospecha de que una determinada combinación de nombre de usuario y clave pública es conocida por un servidor SSH, comprobar si esta sospecha es correcta. Esto ocurre porque es enviado un desafío sólo cuando esa combinación podría ser válida para una sesión de inicio de sesión. NOTA: el proveedor no reconoce la enumeración de usuarios como una vulnerabilidad para este producto • https://github.com/openssh/openssh-portable/blob/d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd/auth2-pubkey.c#L261-L265 https://github.com/openssh/openssh-portable/pull/270 https://github.com/openssh/openssh-portable/pull/270#issuecomment-920577097 https://github.com/openssh/openssh-portable/pull/270#issuecomment-943909185 https://rushter.com/blog/public-ssh-keys https://security.netapp.com/advisory/ntap-20211014-0005 https://utcc.utoronto.ca/~cks/space/blog/tech/SSHKeysAreInfoLeak https://www.openwall.com/lists •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 3CVE-2020-15778 – openssh: scp allows command injection when using backtick characters in the destination argument
https://notcve.org/view.php?id=CVE-2020-15778
scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows." ** EN DISPUTA ** scp en OpenSSH versiones hasta 8.3p1 permite una inyección de comandos en la función toremote de scp.c, como lo demuestran los caracteres backtick en el argumento de destino. NOTA: según se informa, el proveedor ha declarado que omite intencionadamente la validación de las "transferencias de argumentos anómalos" porque eso podría "tener grandes posibilidades de romper los flujos de trabajo existentes" A flaw was found in the scp program shipped with the openssh-clients package. An attacker having the ability to scp files to a remote server, could execute arbitrary commands on the remote server by including the command as a part of the filename being copied on the server. This command is run with the permissions of user with which the files were copied on the remote server. • https://github.com/cpandya2909/CVE-2020-15778 https://github.com/Neko-chanQwQ/CVE-2020-15778-Exploit https://github.com/Evan-Zhangyf/CVE-2020-15778 https://access.redhat.com/errata/RHSA-2024:3166 https://news.ycombinator.com/item?id=25005567 https://security.gentoo.org/glsa/202212-06 https://security.netapp.com/advisory/ntap-20200731-0007 https://www.openssh.com/security.html https://access.redhat.com/security/cve/CVE-2020-15778 https://bugzilla.redhat.com/show_bug.cgi?id&# • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.9EPSS: 0%CPEs: 13EXPL: 0CVE-2020-14145 – openssh: Observable discrepancy leading to an information leak in the algorithm negotiation
https://notcve.org/view.php?id=CVE-2020-14145
The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected. El lado del cliente en OpenSSH versiones 5.7 hasta 8.4, presenta una Discrepancia Observable que conlleva a una filtración de información en la negociación del algoritmo. Esto permite a atacantes de tipo man-in-the-middle apuntar a unos intentos iniciales de conexión (donde ninguna clave de host para el servidor ha sido almacenada en caché por parte del cliente) NOTA: algunos informes afirman que las versiones 8.5 y 8.6 también están afectadas. • http://www.openwall.com/lists/oss-security/2020/12/02/1 https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d https://docs.ssh-mitm.at/CVE-2020-14145.html https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1 https://github.com/ssh-mitm/ssh-mitm/blob/master/ssh_proxy_server/plugins/session/cve202014145.py https://security.gentoo.org/glsa/202105-35 https://security.netapp.com/advisory/ntap-20200709-0004 https://www. • CWE-203: Observable Discrepancy •
CVSS: 6.8EPSS: 0%CPEs: 9EXPL: 2CVE-2019-6110 – OpenSSH SCP Client - Write Arbitrary Files
https://notcve.org/view.php?id=CVE-2019-6110
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred. En OpenSSH 7.9, debido a la aceptación y la nuestra de salidas stderr arbitrarias del servidor, un servidor malicioso (o atacante Man-in-the-Middle) puede manipular la salida del cliente, por ejemplo, para emplear códigos de control de ANSI para ocultar los archivos adicionales que se están transfiriendo. SCP clients have an issue where additional files can be copied over without your knowledge. • https://www.exploit-db.com/exploits/46516 https://www.exploit-db.com/exploits/46193 https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c https://security.gentoo.org/glsa/201903-16 https://security.netapp.com/advisory/ntap-20190213-0001 https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt • CWE-838: Inappropriate Encoding for Output Context •
CVSS: 6.8EPSS: 0%CPEs: 51EXPL: 0CVE-2019-6109 – openssh: Missing character encoding in progress display allows for spoofing of scp client output
https://notcve.org/view.php?id=CVE-2019-6109
An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. Se ha descubierto un problema en OpenSSH 7.9. Debido a la falta de cifrado de caracteres en la pantalla de progreso, un servidor malicioso (o atacante Man-in-the-Middle) puede emplear nombres de objeto manipulados para manipular la salida del cliente, por ejemplo, empleando códigos de control de ANSI para ocultar los archivos adicionales que se están transfiriendo. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.html https://access.redhat.com/errata/RHSA-2019:3702 https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G https:// • CWE-116: Improper Encoding or Escaping of Output CWE-451: User Interface (UI) Misrepresentation of Critical Information •