ID CVE-2006-0225
Summary scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
References
Vulnerable Configurations
  • cpe:2.3:a:openbsd:openssh:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.0.1p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.0.1p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.0.2p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.0.2p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.0p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.0p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.1p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.1p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.2:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.2.2p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.2.2p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.2.3p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.2.3p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.3:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.3p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.3p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.4:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.4p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.4p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.5:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.5p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.5p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.6:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.6.1p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.6.1p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.6.1p2:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.6.1p2:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.7:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.7.1p2:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.7.1p2:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.8:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.8.1p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.8.1p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.9:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:3.9.1p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:3.9.1p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:4.0p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:4.0p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:4.1p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:4.1p1:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:4.2p1:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:4.2p1:*:*:*:*:*:*:*
CVSS
Base: 4.6 (as of 19-10-2018 - 15:43)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:L/AC:L/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2014-06-09T04:00:06.911-04:00
    class vulnerability
    contributors
    • name Yuzheng Zhou
      organization Opsware, Inc.
    • name Jerome Athias
      organization McAfee, Inc.
    definition_extensions
    • comment Solaris 9 (SPARC) is installed
      oval oval:org.mitre.oval:def:1457
    • comment Solaris 9 (x86) is installed
      oval oval:org.mitre.oval:def:1683
    • comment Solaris 10 (SPARC) is installed
      oval oval:org.mitre.oval:def:1440
    • comment Solaris 10 (x86) is installed
      oval oval:org.mitre.oval:def:1926
    description scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
    family unix
    id oval:org.mitre.oval:def:1138
    status accepted
    submitted 2007-06-28T09:00:00.000-04:00
    title Security Vulnerability Relating to scp(1) Command May Allow Attackers to Execute Arbitrary Commands
    version 38
  • accepted 2013-04-29T04:23:40.838-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
    family unix
    id oval:org.mitre.oval:def:9962
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
    version 29
redhat via4
advisories
  • bugzilla
    id 168167
    title CVE-2006-0225 local to local copy uses shell expansion twice
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • comment openssh is earlier than 0:3.9p1-8.RHEL4.12
            oval oval:com.redhat.rhsa:tst:20060044001
          • comment openssh is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060044002
        • AND
          • comment openssh-askpass is earlier than 0:3.9p1-8.RHEL4.12
            oval oval:com.redhat.rhsa:tst:20060044003
          • comment openssh-askpass is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060044004
        • AND
          • comment openssh-askpass-gnome is earlier than 0:3.9p1-8.RHEL4.12
            oval oval:com.redhat.rhsa:tst:20060044005
          • comment openssh-askpass-gnome is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060044006
        • AND
          • comment openssh-clients is earlier than 0:3.9p1-8.RHEL4.12
            oval oval:com.redhat.rhsa:tst:20060044007
          • comment openssh-clients is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060044008
        • AND
          • comment openssh-server is earlier than 0:3.9p1-8.RHEL4.12
            oval oval:com.redhat.rhsa:tst:20060044009
          • comment openssh-server is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060044010
    rhsa
    id RHSA-2006:0044
    released 2006-03-07
    severity Low
    title RHSA-2006:0044: openssh security update (Low)
  • rhsa
    id RHSA-2006:0298
  • rhsa
    id RHSA-2006:0698
rpms
  • openssh-0:3.9p1-8.RHEL4.12
  • openssh-askpass-0:3.9p1-8.RHEL4.12
  • openssh-askpass-gnome-0:3.9p1-8.RHEL4.12
  • openssh-clients-0:3.9p1-8.RHEL4.12
  • openssh-debuginfo-0:3.9p1-8.RHEL4.12
  • openssh-server-0:3.9p1-8.RHEL4.12
  • openssh-0:3.6.1p2-33.30.9
  • openssh-askpass-0:3.6.1p2-33.30.9
  • openssh-askpass-gnome-0:3.6.1p2-33.30.9
  • openssh-clients-0:3.6.1p2-33.30.9
  • openssh-debuginfo-0:3.6.1p2-33.30.9
  • openssh-server-0:3.6.1p2-33.30.9
  • openssh-0:3.1p1-21
  • openssh-askpass-0:3.1p1-21
  • openssh-askpass-gnome-0:3.1p1-21
  • openssh-clients-0:3.1p1-21
  • openssh-server-0:3.1p1-21
refmap via4
apple APPLE-SA-2007-03-13
bid 16369
cert TA07-072A
confirm
fedora
  • FEDORA-2006-056
  • FLSA-2006:168935
gentoo GLSA-200602-11
hp
  • HPSBUX02178
  • SSRT061267
mandriva MDKSA-2006:034
openbsd 20060212 [3.8] 005: SECURITY FIX: February 12, 2006
openpkg OpenPKG-SA-2006.003
osvdb 22692
sectrack 1015540
secunia
  • 18579
  • 18595
  • 18650
  • 18736
  • 18798
  • 18850
  • 18910
  • 18964
  • 18969
  • 18970
  • 19159
  • 20723
  • 21129
  • 21262
  • 21492
  • 21724
  • 22196
  • 23241
  • 23340
  • 23680
  • 24479
  • 25607
  • 25936
sgi 20060703-01-P
slackware SSA:2006-045-06
sreason 462
sunalert 102961
suse SUSE-SA:2006:008
trustix 2006-0004
ubuntu USN-255-1
vupen
  • ADV-2006-0306
  • ADV-2006-2490
  • ADV-2006-4869
  • ADV-2007-0930
  • ADV-2007-2120
xf openssh-scp-command-execution(24305)
statements via4
contributor Joshua Bressers
lastmodified 2009-09-09
organization Red Hat
statement This issue was addressed in Red Hat Enterprise Linux 2.1, 3 and 4: https://rhn.redhat.com/errata/CVE-2006-0225.html https://www.redhat.com/security/data/cve/CVE-2006-0225.html Issue was fixed upstream in version 4.3. The openssh packages in Red Hat Enterprise Linux 5 are based on the fixed upstream version and were not affected by this flaw.
Last major update 19-10-2018 - 15:43
Published 25-01-2006 - 11:03
Last modified 19-10-2018 - 15:43
Back to Top