DescriptionA flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs946548

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libssh (PTS)stretch0.7.3-2+deb9u2vulnerable
stretch (security)0.7.3-2+deb9u3vulnerable
bullseye, sid0.9.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[buster] - libssh <no-dsa> (Minor issue)
[stretch] - libssh <no-dsa> (Minor issue)
The fix in libssh makes an update in x2goclient necessary, cf:;a=commitdiff;h=ce559d163a943737fe4160f7233925df2eee1f9a

Search for package or bug name: Reporting problems