Security readout for executives and security teams
Plain-English summary
This flaw affects the scp client behavior in OpenSSH. A hostile scp server, or a network attacker able to alter the session, could make the client write unexpected files into the chosen download area. Recursive copies increase business risk because nested paths can be manipulated.
Executive priority
Treat this as a moderate-priority hygiene issue. It is not a server takeover by itself, but it can corrupt files or alter client-side state when staff or automation retrieve files from hostile sources.
Technical view
OpenSSH scp inherited rcp semantics where the server chooses returned file and directory names. The client performed limited validation, mainly blocking directory traversal. CVE-2019-6111 allows arbitrary file overwrite within the client target directory, with broader impact during recursive transfers.
Likely exposure
Exposure is most likely on workstations, servers, jump hosts, or automation that use scp to retrieve files from untrusted or compromised servers. Systems that only run SSH servers are not the main concern based on the provided description.
Exploitation context
The bundle includes an Exploit-DB reference, showing public exploit material exists. It does not show CISA KEV listing or confirmed active exploitation, so active exploitation should not be claimed from these sources.
Researcher notes
The strongest evidence is the CVE description and vendor advisories. Affected-product metadata in the bundle is incomplete, so version scoping should rely on downstream vendor advisories rather than assuming all OpenSSH deployments are equally affected.
Mitigation direction
- Apply OpenSSH or platform updates from Debian, Ubuntu, Gentoo, FreeBSD, or relevant vendor advisories.
- Restrict scp downloads to trusted servers until patched.
- Avoid recursive scp from untrusted sources where operationally possible.
- Check appliance or embedded software vendor guidance, including NetApp where applicable.
Validation and detection
- Inventory systems and automation that invoke scp for inbound file copies.
- Check installed OpenSSH package versions against relevant vendor advisories.
- Review scripts for recursive scp usage from external or low-trust hosts.
- Confirm vendor patches are deployed through package or appliance update records.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-22: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupFile access behavior lookup
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2019-6111 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.9 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N2.23.6Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
5.9MediumVector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Source materials
- CVE List V5 sourceCVE List V5
- DSA-4387CVE reference · vendor-advisory
- https://security.netapp.com/advisory/ntap-20190213-0001/CVE reference
- https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.cCVE reference
- USN-3885-1CVE reference · vendor-advisory
- USN-3885-2CVE reference · vendor-advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1677794CVE reference
- https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txtCVE reference
- 46193CVE reference · exploit
- GLSA-201903-16CVE reference · vendor-advisory
- [debian-lts-announce] 20190325 [SECURITY] [DLA 1728-1] openssh security updateCVE reference · mailing-list
- FEDORA-2019-0f4190cdb0CVE reference · vendor-advisory
- [mina-dev] 20190620 [jira] [Created] (SSHD-925) See if SCP vulnerability CVE-2019-6111 applies and mitigate it if soCVE reference · mailing-list
- [mina-dev] 20190623 [jira] [Comment Edited] (SSHD-925) See if SCP vulnerability CVE-2019-6111 applies and mitigate it if soCVE reference · mailing-list
- [mina-dev] 20190623 [jira] [Commented] (SSHD-925) See if SCP vulnerability CVE-2019-6111 applies and mitigate it if soCVE reference · mailing-list
- FreeBSD-EN-19:10CVE reference · vendor-advisory
- [mina-dev] 20190820 [jira] [Resolved] (SSHD-925) See if SCP vulnerability CVE-2019-6111 applies and mitigate it if soCVE reference · mailing-list
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlCVE reference
- RHSA-2019:3702CVE reference · vendor-advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfCVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
