CVE-2020-15778

openssh: scp allows command injection when using backtick characters in the destination argument

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

** EN DISPUTA ** scp en OpenSSH versiones hasta 8.3p1 permite una inyección de comandos en la función toremote de scp.c, como lo demuestran los caracteres backtick en el argumento de destino. NOTA: según se informa, el proveedor ha declarado que omite intencionadamente la validación de las "transferencias de argumentos anómalos" porque eso podría "tener grandes posibilidades de romper los flujos de trabajo existentes"

A flaw was found in the scp program shipped with the openssh-clients package. An attacker having the ability to scp files to a remote server, could execute arbitrary commands on the remote server by including the command as a part of the filename being copied on the server. This command is run with the permissions of user with which the files were copied on the remote server. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2020-07-15 CVE Reserved
2020-07-24 CVE Published
2022-02-18 First Exploit
2024-07-31 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CAPEC

References (11)

URL	Tag	Source
https://access.redhat.com/errata/RHSA-2024:3166
https://news.ycombinator.com/item?id=25005567	Third Party Advisory
https://security.netapp.com/advisory/ntap-20200731-0007	Third Party Advisory

URL	Date	SRC
https://github.com/cpandya2909/CVE-2020-15778	2024-08-04
https://github.com/Neko-chanQwQ/CVE-2020-15778-Exploit	2022-02-18
https://github.com/Evan-Zhangyf/CVE-2020-15778	2023-09-27

URL	Date	SRC

URL	Date	SRC
https://security.gentoo.org/glsa/202212-06	2024-07-03
https://www.openssh.com/security.html	2024-07-03
https://access.redhat.com/security/cve/CVE-2020-15778	2024-05-22
https://bugzilla.redhat.com/show_bug.cgi?id=1860487	2024-05-22
https://access.redhat.com/articles/5284081	2024-05-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netapp Search vendor "Netapp"	A700s Firmware Search vendor "Netapp" for product "A700s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	A700s Search vendor "Netapp" for product "A700s"	-	-	Safe
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				< 8.3 Search vendor "Openbsd" for product "Openssh" and version " < 8.3"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				8.3 Search vendor "Openbsd" for product "Openssh" and version "8.3"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				8.3 Search vendor "Openbsd" for product "Openssh" and version "8.3"		p1		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				>= 9.5 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 9.5"		vmware_vsphere		Affected
Netapp Search vendor "Netapp"		Hci Management Node Search vendor "Netapp" for product "Hci Management Node"				-		-		Affected
Netapp Search vendor "Netapp"		Solidfire Search vendor "Netapp" for product "Solidfire"				-		-		Affected
Netapp Search vendor "Netapp"		Steelstore Cloud Integrated Storage Search vendor "Netapp" for product "Steelstore Cloud Integrated Storage"				-		-		Affected
Netapp Search vendor "Netapp"		Hci Compute Node Search vendor "Netapp" for product "Hci Compute Node"				-		-		Affected
Netapp Search vendor "Netapp"		Hci Storage Node Search vendor "Netapp" for product "Hci Storage Node"				-		-		Affected
Broadcom Search vendor "Broadcom"		Fabric Operating System Search vendor "Broadcom" for product "Fabric Operating System"				-		-		Affected