An issue was discovered in OpenSSH 7.4 on Amazon Linux 2 and Amazon Linux 1. The fix for CVE-2019-6111 only covered cases where an absolute path is passed to scp. When a relative path is used there is no verification that the name of a file received by the client matches the file requested.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | openssh | 2023-08-03 20:16 | ALAS-2023-1794 |
Amazon Linux 2 - Core | openssh | 2023-08-03 18:29 | ALAS2-2023-2202 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 5.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N |