CVE-2020-36254

Description

scp.c in Dropbear before 2020.79 mishandles the filename of . or an empty filename, a related issue to CVE-2018-20685.

How to fix CVE-2020-36254

To remediate CVE-2020-36254, upgrade the affected package to a fixed version below.

• Alpine/dropbear—upgrade to 2019.78-r1 or later
• Debian/dropbear—upgrade to 2020.79-1 or later

Is CVE-2020-36254 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2019.78-r1
• from 0, < 2020.79-1

CVSS scores

References (2)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2020-36254
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-36254