Fluid Attacks Database

Description

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 11	openssh	=1:10.0p1-1 \|\| =1:10.0p1-2 \|\| =1:10.0p1-3 \|\| =1:10.0p1-4 \|\| =1:10.0p1-5 \|\| =1:10.0p1-5~bpo12+2 \|\| =1:10.0p1-6 \|\| =1:10.0p1-7 \|\| =1:10.0p1-7~bpo12+1 \|\| =1:10.0p1-8 \|\| =1:10.1p1-1 \|\| =1:10.1p1-2 \|\| =1:10.2p1-1 \|\| =1:10.2p1-2 \|\| =1:10.2p1-2~bpo13+1 \|\| =1:10.2p1-3 \|\| =1:10.2p1-4 \|\| =1:10.2p1-5 \|\| =1:10.2p1-6 \|\| =1:10.2p1-6~bpo13+1 \|\| =1:10.3p1-1 \|\| =1:8.4p1-5 \|\| =1:8.4p1-5+deb11u1 \|\| =1:8.4p1-5+deb11u2 \|\| =1:8.4p1-5+deb11u3 \|\| =1:8.4p1-5+deb11u4 \|\| =1:8.4p1-5+deb11u5 \|\| =1:8.4p1-5+deb11u6 \|\| =1:8.4p1-6 \|\| =1:8.7p1-1 \|\| =1:8.7p1-2 \|\| =1:8.7p1-3 \|\| =1:8.7p1-4 \|\| =1:8.8p1-1 \|\| =1:8.9p1-1 \|\| =1:8.9p1-2 \|\| =1:8.9p1-3 \|\| =1:9.0p1-1 \|\| =1:9.1p1-1 \|\| =1:9.1p1-2 \|\| =1:9.2p1-1 \|\| =1:9.2p1-2 \|\| =1:9.3p1-1 \|\| =1:9.3p1-1+loong64 \|\| =1:9.3p2-1 \|\| =1:9.4p1-1 \|\| =1:9.5p1-1 \|\| =1:9.5p1-2 \|\| =1:9.6p1-1 \|\| =1:9.6p1-2 \|\| =1:9.6p1-3 \|\| =1:9.6p1-4 \|\| =1:9.6p1-5 \|\| =1:9.7p1-1 \|\| =1:9.7p1-2 \|\| =1:9.7p1-3 \|\| =1:9.7p1-3+hurd.1 \|\| =1:9.7p1-4 \|\| =1:9.7p1-5 \|\| =1:9.7p1-6 \|\| =1:9.7p1-7 \|\| =1:9.8p1-1 \|\| =1:9.8p1-2 \|\| =1:9.8p1-3 \|\| =1:9.8p1-4 \|\| =1:9.8p1-7 \|\| =1:9.8p1-8 \|\| =1:9.9p1-1 \|\| =1:9.9p1-2 \|\| =1:9.9p1-3 \|\| =1:9.9p1-3+hurd.1 \|\| =1:9.9p2-1 \|\| =1:9.9p2-2
debian 12	openssh	=1:10.0p1-1 \|\| =1:10.0p1-2 \|\| =1:10.0p1-3 \|\| =1:10.0p1-4 \|\| =1:10.0p1-5 \|\| =1:10.0p1-5~bpo12+2 \|\| =1:10.0p1-6 \|\| =1:10.0p1-7 \|\| =1:10.0p1-7~bpo12+1 \|\| =1:10.0p1-8 \|\| =1:10.1p1-1 \|\| =1:10.1p1-2 \|\| =1:10.2p1-1 \|\| =1:10.2p1-2 \|\| =1:10.2p1-2~bpo13+1 \|\| =1:10.2p1-3 \|\| =1:10.2p1-4 \|\| =1:10.2p1-5 \|\| =1:10.2p1-6 \|\| =1:10.2p1-6~bpo13+1 \|\| =1:10.3p1-1 \|\| =1:9.2p1-2 \|\| =1:9.2p1-2+deb12u1 \|\| =1:9.2p1-2+deb12u2 \|\| =1:9.2p1-2+deb12u3 \|\| =1:9.2p1-2+deb12u4 \|\| =1:9.2p1-2+deb12u5 \|\| =1:9.2p1-2+deb12u6 \|\| =1:9.2p1-2+deb12u7 \|\| =1:9.2p1-2+deb12u8 \|\| =1:9.2p1-2+deb12u9 \|\| =1:9.3p1-1 \|\| =1:9.3p1-1+loong64 \|\| =1:9.3p2-1 \|\| =1:9.4p1-1 \|\| =1:9.5p1-1 \|\| =1:9.5p1-2 \|\| =1:9.6p1-1 \|\| =1:9.6p1-2 \|\| =1:9.6p1-3 \|\| =1:9.6p1-4 \|\| =1:9.6p1-5 \|\| =1:9.7p1-1 \|\| =1:9.7p1-2 \|\| =1:9.7p1-3 \|\| =1:9.7p1-3+hurd.1 \|\| =1:9.7p1-4 \|\| =1:9.7p1-5 \|\| =1:9.7p1-6 \|\| =1:9.7p1-7 \|\| =1:9.8p1-1 \|\| =1:9.8p1-2 \|\| =1:9.8p1-3 \|\| =1:9.8p1-4 \|\| =1:9.8p1-7 \|\| =1:9.8p1-8 \|\| =1:9.9p1-1 \|\| =1:9.9p1-2 \|\| =1:9.9p1-3 \|\| =1:9.9p1-3+hurd.1 \|\| =1:9.9p2-1 \|\| =1:9.9p2-2
debian 14	openssh	=1:10.0p1-7 \|\| =1:10.0p1-8 \|\| =1:10.1p1-1 \|\| =1:10.1p1-2 \|\| =1:10.2p1-1 \|\| =1:10.2p1-2 \|\| =1:10.2p1-2~bpo13+1 \|\| =1:10.2p1-3 \|\| =1:10.2p1-4 \|\| =1:10.2p1-5 \|\| =1:10.2p1-6 \|\| =1:10.2p1-6~bpo13+1 \|\| =1:10.3p1-1
debian 13	openssh	=1:10.0p1-7 \|\| =1:10.0p1-7+deb13u1 \|\| =1:10.0p1-7+deb13u2 \|\| =1:10.0p1-8 \|\| =1:10.1p1-1 \|\| =1:10.1p1-2 \|\| =1:10.2p1-1 \|\| =1:10.2p1-2 \|\| =1:10.2p1-2~bpo13+1 \|\| =1:10.2p1-3 \|\| =1:10.2p1-4 \|\| =1:10.2p1-5 \|\| =1:10.2p1-6 \|\| =1:10.2p1-6~bpo13+1 \|\| =1:10.3p1-1
rpm rhel5	openssh	-
rpm rhel6	openssh	-
rpm rhel7	openssh	-
rpm rhel8	openssh	-

Aliases

1. CVE-2019-61102. NVD-2019-61103. OSV-DEBIAN-2019-61104. OSV-2019-61105. SECURITY-TRACKER-CVE-2019-6110

References

1. https://vulncheck.com/cve/CVE-2019-6110

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.