CVE-2020-15778

Published: July 24, 2020Last modified: July 22, 2025

Description

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

Severity score breakdown

Parameter	Value
Base score	7.4
Attack Vector	ADJACENT_NETWORK
Attack complexity	LOW
Privileges required	LOW
User interaction	REQUIRED
Scope	UNCHANGED
Confidentiality	HIGH
Integrity impact	HIGH
Availability impact	HIGH
Vector	CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	openssh	Not affected (9.1_p1-r5)
Alpaquita Linux	Stream	openssh	Not affected (9.4_p1-r0)
Hardened Containers	23 LTS	openssh	Not affected (9.1_p1-r5)
Hardened Containers	Stream	openssh	Not affected (9.4_p1-r0)

References

https://access.redhat.com/errata/RHSA-2024:3166
https://github.com/cpandya2909/CVE-2020-15778/
https://news.ycombinator.com/item?id=25005567
https://security.gentoo.org/glsa/202212-06
https://security.netapp.com/advisory/ntap-20200731-0007/
https://www.openssh.com/security.html