{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-15778", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T13:22:30.831Z", "dateReserved": "2020-07-15T00:00:00", "datePublished": "2020-07-24T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-04T16:53:15.270364"}, "descriptions": [{"lang": "en", "value": "scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\""}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.openssh.com/security.html"}, {"url": "https://github.com/cpandya2909/CVE-2020-15778/"}, {"url": "https://security.netapp.com/advisory/ntap-20200731-0007/"}, {"url": "https://news.ycombinator.com/item?id=25005567"}, {"name": "GLSA-202212-06", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202212-06"}, {"url": "https://access.redhat.com/errata/RHSA-2024:3166"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2020-15778", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-01T14:59:02.714297Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*"], "vendor": "openbsd", "product": "openssh", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "8.3p1"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:12:18.895Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:22:30.831Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.openssh.com/security.html", "tags": ["x_transferred"]}, {"url": "https://github.com/cpandya2909/CVE-2020-15778/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20200731-0007/", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=25005567", "tags": ["x_transferred"]}, {"name": "GLSA-202212-06", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202212-06"}, {"url": "https://access.redhat.com/errata/RHSA-2024:3166", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.openssh.com/security.html", "tags": ["x_transferred"]}, {"url": "https://github.com/cpandya2909/CVE-2020-15778/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20200731-0007/", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=25005567", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202212-06", "name": "GLSA-202212-06", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3166", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:22:30.831Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2020-15778", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-01T14:59:02.714297Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*"], "vendor": "openbsd", "product": "openssh", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "8.3p1"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-01T15:00:36.603Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.openssh.com/security.html"}, {"url": "https://github.com/cpandya2909/CVE-2020-15778/"}, {"url": "https://security.netapp.com/advisory/ntap-20200731-0007/"}, {"url": "https://news.ycombinator.com/item?id=25005567"}, {"url": "https://security.gentoo.org/glsa/202212-06", "name": "GLSA-202212-06", "tags": ["vendor-advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3166"}], "descriptions": [{"lang": "en", "value": "scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\""}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-04T16:53:15.270364"}}}, "cveMetadata": {"cveId": "CVE-2020-15778", "state": "PUBLISHED", "dateUpdated": "2024-08-04T13:22:30.831Z", "dateReserved": "2020-07-15T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2020-07-24T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BF43EA3-A7C8-404B-B61C-856BA5A45F47", "versionEndExcluding": "8.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:openbsd:openssh:8.3:-:*:*:*:*:*:*", "matchCriteriaId": "BE31BDF5-E836-4783-842C-79A9F4B384E5", "vulnerable": true}, {"criteria": "cpe:2.3:a:openbsd:openssh:8.3:p1:*:*:*:*:*:*", "matchCriteriaId": "7AF2FAD7-B7B8-4D8E-8BCD-EB7325C2328E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:a700s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "FDD92BFA-9117-4E6E-A13F-ED064B4B7284", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:a700s:-:*:*:*:*:*:*:*", "matchCriteriaId": "4B7DA42F-5D64-4967-A2D4-6210FE507841", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*", "matchCriteriaId": "0CB28AF5-5AF0-4475-A7B6-12E1795FFDCB", "versionStartIncluding": "9.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3C19813-E823-456A-B1CE-EC0684CE1953", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "matchCriteriaId": "A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*", "matchCriteriaId": "E94F7F59-1785-493F-91A7-5F5EA5E87E4D", "vulnerable": true}, {"criteria": "cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*", "matchCriteriaId": "AD7447BC-F315-4298-A822-549942FC118B", "vulnerable": true}, {"criteria": "cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*", "matchCriteriaId": "02DEB4FB-A21D-4CB1-B522-EEE5093E8521", "vulnerable": true}, {"criteria": "cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "046FB51E-B768-44D3-AEB5-D857145CA840", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\""}, {"lang": "es", "value": "** EN DISPUTA ** scp en OpenSSH versiones hasta 8.3p1 permite una inyecci\u00f3n de comandos en la funci\u00f3n toremote de scp.c, como lo demuestran los caracteres backtick en el argumento de destino. NOTA: seg\u00fan se informa, el proveedor ha declarado que omite intencionadamente la validaci\u00f3n de las \"transferencias de argumentos an\u00f3malos\" porque eso podr\u00eda \"tener grandes posibilidades de romper los flujos de trabajo existentes\""}], "id": "CVE-2020-15778", "lastModified": "2025-07-28T18:12:45.213", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2020-07-24T14:15:12.450", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:3166"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/cpandya2909/CVE-2020-15778/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=25005567"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202212-06"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200731-0007/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.openssh.com/security.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:3166"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/cpandya2909/CVE-2020-15778/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=25005567"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202212-06"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200731-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.openssh.com/security.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3166", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "openssh-0:8.0p1-24.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:3166", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "openssh-0:8.0p1-24.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}], "bugzilla": {"description": "openssh: scp allows command injection when using backtick characters in the destination argument", "id": "1860487", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860487"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-77", "details": ["scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\"", "A flaw was found in the scp program shipped with the openssh-clients package. An attacker having the ability to scp files to a remote server, could execute arbitrary commands on the remote server by including the command as a part of the filename being copied on the server. This command is run with the permissions of user with which the files were copied on the remote server. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "mitigation": {"lang": "en:us", "value": "As per upstream, because of the way scp is based on a historical protocol called rcp which relies on that style of argument passing and therefore encounters expansion problems. Making changes to how the scp command line works breaks the pattern used by scp consumers. Upstream therefore recommends the use of rsync in place of scp for better security.\nAlso, adding to the mitigation strategy the SCP protocol can be disabled by following the steps in the following documentation:\nhttps://access.redhat.com/node/7053909\nMore details about supported alternatives available at: https://access.redhat.com/articles/5284081"}, "name": "CVE-2020-15778", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2020-07-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-15778\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15778\nhttps://access.redhat.com/articles/5284081\nhttps://github.com/cpandya2909/CVE-2020-15778"], "statement": "This security flaw lies in the way scp command parses its command line arguments. The SSH protocol or any other applications shipped as a part of openssh-clients packages are not vulnerable.\nIn order to exploit this flaw, the attacker needs to social engineer or manipulate a system administrator (who has root access on the remote server) to run scp with a malicious command line parameter. \nAdministrators can uninstall openssh-clients for additional protection against accidental usage of this binary. Removing the openssh-clients package will make binaries like scp and ssh etc unavailable on that system. Also administrators can change the execute permissions on the scp binary. However this mitigation will be in place until the openssh-clients package is updated.", "threat_severity": "Moderate"}