In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
Inappropriate Encoding for Output Context
User Interface (UI) Misrepresentation of Critical Information
-
Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
---|---|---|---|---|---|
debian/openssh | deb | debian | 12 | >=1:9.2p1-2+deb12u2 | Not yet available |
debian/openssh | deb | debian | unstable | >=1:9.7p1-5 | Not yet available |
debian/openssh | deb | debian | 10 | >=1:7.9p1-10+deb10u2 | Not yet available |
debian/openssh | deb | debian | 11 | >=1:8.4p1-5+deb11u3 | Not yet available |
debian/openssh | deb | debian | 13 | >=1:9.7p1-5 | Not yet available |
Severity and metrics
No CVSS data available from this source.
1.6
1.6
1.6
2.1
-
-