Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Remote-to-remote scp requires user-initiated transfer (UI:R) with high attack complexity (AC:H); path misplacement causes limited integrity and availability impact with no confidentiality exposure.
Primary rating from Vendor (mitre).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionNVD
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
AnalysisAI
Path traversal in the scp utility of OpenSSH before 10.4 causes files to be written into the parent directory of the intended destination during remote-to-remote copy operations. The root cause is CWE-23 (Relative Path Traversal): scp fails to canonicalize or sanitize paths when relaying data between two remote hosts, allowing an attacker controlling a malicious endpoint to influence where transferred files land. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the scp copy to occur specifically in remote-to-remote (third-party) mode, where both the source and destination are remote hosts rather than the local client - this is a non-default and less common usage pattern. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.2 (Medium) accurately reflects a vulnerability with meaningful real-world constraints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls a malicious SSH server could wait for a victim's automated backup or deployment script to invoke scp in remote-to-remote mode - for example, copying artifacts from a build host to that attacker-controlled server and then on to a second destination. The malicious server returns a crafted path response causing scp to write the transferred file one directory level above the intended destination, potentially overwriting a configuration file or executable in the parent path. … |
| Remediation | Upgrade to OpenSSH 10.4p1 or later, which resolves the scp path traversal flaw; the release notes are published at https://www.openssh.org/releasenotes.html#10.4p1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42138
GHSA-8v2x-fhq9-4fv3