CVE-2019-6109

Name: CVE-2019-6109
Creator: NVD / NIST
Published: 2019-01-31T18:29:00.71+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.8/10EPSS 3.81%

Last modified Jun 17, 2026

CVE-2019-6109 is a medium-severity vulnerability rated 6.8/10 on the CVSS scale. An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. EPSS estimates a 3.81% chance of exploitation in the next 30 days.

Description

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

Metrics

CVSS 3.1

6.8/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Probability

3.81%

88.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Openbsd	Openssh	<= 7.9
Winscp	Winscp	<= 5.13
Canonical	Ubuntu Linux	14.04
Canonical	Ubuntu Linux	16.04
Canonical	Ubuntu Linux	18.04
Canonical	Ubuntu Linux	18.10
Debian	Debian Linux	8.0
Debian	Debian Linux	9.0
Netapp	Element Software	All versions
Netapp	Ontap Select Deploy	All versions
Netapp	Storage Automation Store	All versions
Fedoraproject	Fedora	30
Redhat	Enterprise Linux	8.0
Redhat	Enterprise Linux Eus	8.1
Redhat	Enterprise Linux Eus	8.2
Redhat	Enterprise Linux Eus	8.4
Redhat	Enterprise Linux Eus	8.6
Redhat	Enterprise Linux Server Aus	8.2
Redhat	Enterprise Linux Server Aus	8.4
Redhat	Enterprise Linux Server Aus	8.6
Redhat	Enterprise Linux Server Tus	8.2
Redhat	Enterprise Linux Server Tus	8.4
Redhat	Enterprise Linux Server Tus	8.6
Siemens	Scalance X204rna Firmware	< 3.2.7
Siemens	Scalance X204rna Eec Firmware	< 3.2.7
Fujitsu	M10-1 Firmware	< xcp2361
Fujitsu	M10-4 Firmware	< xcp2361
Fujitsu	M10-4s Firmware	< xcp2361
Fujitsu	M12-1 Firmware	< xcp2361
Fujitsu	M12-2 Firmware	< xcp2361
Fujitsu	M12-2s Firmware	< xcp2361
Fujitsu	M10-1 Firmware	< xcp3070
Fujitsu	M10-4 Firmware	< xcp3070
Fujitsu	M10-4s Firmware	< xcp3070
Fujitsu	M12-1 Firmware	< xcp3070
Fujitsu	M12-2 Firmware	< xcp3070
Fujitsu	M12-2s Firmware	< xcp3070

References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.htmlBroken Link
https://access.redhat.com/errata/RHSA-2019:3702Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfPatch, Third Party Advisory
https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.cRelease Notes, Vendor Advisory
https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.cRelease Notes, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00030.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G/
https://security.gentoo.org/glsa/201903-16Third Party Advisory
https://security.netapp.com/advisory/ntap-20190213-0001/Third Party Advisory
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txtThird Party Advisory
https://usn.ubuntu.com/3885-1/Third Party Advisory
https://www.debian.org/security/2019/dsa-4387Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.htmlBroken Link
https://access.redhat.com/errata/RHSA-2019:3702Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfPatch, Third Party Advisory
https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.cRelease Notes, Vendor Advisory
https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.cRelease Notes, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00030.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G/
https://security.gentoo.org/glsa/201903-16Third Party Advisory
https://security.netapp.com/advisory/ntap-20190213-0001/Third Party Advisory
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txtThird Party Advisory
https://usn.ubuntu.com/3885-1/Third Party Advisory
https://www.debian.org/security/2019/dsa-4387Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory

Timeline

Published: Jan 31, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-6109?

How severe is CVE-2019-6109?

CVE-2019-6109 has a CVSS score of 6.8/10 (MEDIUM severity). The EPSS model estimates a 3.81% probability of exploitation in the next 30 days.

How do I fix CVE-2019-6109?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-6109?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST