安全公告/【CVE-2020-12062】
基本信息
漏洞描述
** DISPUTED ** The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances."
修复方式
yum update PackageName
漏洞判定
执行命令yum info PackageName获取软件包版本号,版本小于修复版本,则受此漏洞影响,版本大于等于修复版本,则此漏洞已修复
参考
https://www.openeuler.org/zh/security/cve/detail/?cveid=CVE-2020-12062&packageName=openssh
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12062
https://nvd.nist.gov/vuln/detail/CVE-2020-12062