===========================================================
== Subject:     Unsanitized location in scp could lead to
==              unwanted command execution.
==
== CVE ID#:     CVE-2019-14889
==
== Versions:    libssh >= 0.4.0
==
== Summary:     In an environment where a user is only
==              allowed to copy files and not to execute
==              applications, it would be possible to pass
==              a location which contains commands to be
==              executed in additon.
==
===========================================================

===========
Description
===========

When the libssh SCP client connects to a server, the scp
command, which includes a user-provided path, is executed
on the server-side. In case the library is used in a way
where users can influence the third parameter of
ssh_scp_new(), it would become possible for an attacker to
inject arbitrary commands, leading to a compromise of the
remote target.

==================
Patch Availability
==================

Patches addressing the issues have been posted to:
https://www.libssh.org/security/

Additionally, libssh 0.9.3 and 0.8.8 have been issued as
security releases to correct the defect.
SSH administrators are advised to upgrade to these releases
or apply the patch as soon as possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N (2.6)

==========
Workaround
==========

Sanitize the location before it is passed to ssh_scp_new().

=======
Credits
=======

Originally reported by Cure53 (https://cure53.de/).
Patches provided by Anderson Sasaki of the libssh team.

==========================================================
== The libssh team
==========================================================