CVE-2020-15778
7.4
HIGH
CVSS 3.1
EPSS 64.3%
Description
scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
How to fix CVE-2020-15778
To remediate CVE-2020-15778, upgrade the affected package to a fixed version below.
- —upgrade to 8.3_p1-r0 or later
- —no fix listed
Is CVE-2020-15778 being exploited?
Likely — EPSS is 64.3%, placing CVE-2020-15778 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (2)
- from 0, < 8.3_p1-r0
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |