CVE-2006-0225
Description
A flaw in scp (OpenSSH 4.2p1) allows attackers to execute arbitrary commands via double expansion of shell metacharacters in filenames.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A flaw in scp (OpenSSH 4.2p1) allows attackers to execute arbitrary commands via double expansion of shell metacharacters in filenames.
Vulnerability
A command injection vulnerability exists in the scp utility as shipped in OpenSSH 4.2p1. The flaw stems from improper handling of filenames containing shell metacharacters (e.g., ;, |, ` `) or spaces. During local-to-local or remote-to-remote file copies, the shell expands these metacharacters a second time, allowing an attacker to inject arbitrary commands [2]. Affected packages include openssh-client` in Ubuntu 4.10, 5.04, and 5.10, and various enterprise Linux distributions [2][3][4].
Exploitation
An attacker can exploit this vulnerability by tricking a user into running scp on a specially crafted filename (e.g., by using an innocuous wildcard like * that matches the malicious filename). No authentication or special privileges are needed beyond the user executing scp; the attack can be performed locally or via a remote-to-remote copy where the attacker controls the source or destination filename [2]. The attacker supplies a filename containing shell metacharacters, which scp passes to a shell without proper sanitization, resulting in execution of the injected commands with the user's privileges.
Impact
Successful exploitation allows the attacker to execute arbitrary shell commands with the privileges of the user running scp. This leads to partial compromise of confidentiality, integrity, and availability (CVSS 4.6, impact subscore 6.4/10) [2]. The attacker can read, modify, or delete files accessible to the user, install malware, or pivot to other systems.
Mitigation
Patched versions are available: Ubuntu packages were fixed in versions 1:3.8.1p1-11ubuntu3.3 (4.10), 1:3.9p1-1ubuntu2.2 (5.04), and 1:4.1p1-7ubuntu4.1 (5.10) [2]. Red Hat and Avaya issued security updates (e.g., RHSA-2006-0298, ASA-2006-174) [3][4]. Users are advised to upgrade their openssh packages. Where possible, use sftp instead of scp for operations involving untrusted filenames, as scp is not designed to handle them securely [2]. No workaround exists other than applying the patch.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
35cpe:2.3:a:openbsd:openssh:3.0:*:*:*:*:*:*:*+ 33 more
- cpe:2.3:a:openbsd:openssh:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.0.1p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.0.2p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.0p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.1p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.2.2p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.2.3p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.3p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.4:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.4p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.5p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.6:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.6.1p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.6.1p2:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.7:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.7.1p2:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.8:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.8.1p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.9:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.9.1p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:4.0p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:4.1p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:4.2p1:*:*:*:*:*:*:*
- (no CPE)range: = 4.2p1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
64- secunia.com/advisories/18595nvdPatchVendor Advisory
- www.us-cert.gov/cas/techalerts/TA07-072A.htmlnvdUS Government Resource
- ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/005_ssh.patchnvd
- patches.sgi.com/support/free/security/advisories/20060703-01-U.ascnvd
- blogs.sun.com/security/entry/sun_alert_102961_security_vulnerabilitynvd
- docs.info.apple.com/article.htmlnvd
- itrc.hp.com/service/cki/docDisplay.donvd
- lists.apple.com/archives/security-announce/2007/Mar/msg00002.htmlnvd
- secunia.com/advisories/18579nvd
- secunia.com/advisories/18650nvd
- secunia.com/advisories/18736nvd
- secunia.com/advisories/18798nvd
- secunia.com/advisories/18850nvd
- secunia.com/advisories/18910nvd
- secunia.com/advisories/18964nvd
- secunia.com/advisories/18969nvd
- secunia.com/advisories/18970nvd
- secunia.com/advisories/19159nvd
- secunia.com/advisories/20723nvd
- secunia.com/advisories/21129nvd
- secunia.com/advisories/21262nvd
- secunia.com/advisories/21492nvd
- secunia.com/advisories/21724nvd
- secunia.com/advisories/22196nvd
- secunia.com/advisories/23241nvd
- secunia.com/advisories/23340nvd
- secunia.com/advisories/23680nvd
- secunia.com/advisories/24479nvd
- secunia.com/advisories/25607nvd
- secunia.com/advisories/25936nvd
- securityreason.com/securityalert/462nvd
- securitytracker.com/idnvd
- slackware.com/security/viewer.phpnvd
- sunsolve.sun.com/search/document.donvd
- support.avaya.com/elmodocs2/security/ASA-2006-158.htmnvd
- support.avaya.com/elmodocs2/security/ASA-2006-174.htmnvd
- support.avaya.com/elmodocs2/security/ASA-2006-262.htmnvd
- support.avaya.com/elmodocs2/security/ASA-2007-246.htmnvd
- www.gentoo.org/security/en/glsa/glsa-200602-11.xmlnvd
- www.mandriva.com/security/advisoriesnvd
- www.novell.com/linux/security/advisories/2006_08_openssh.htmlnvd
- www.openpkg.org/security/OpenPKG-SA-2006.003-openssh.htmlnvd
- www.osvdb.org/22692nvd
- www.redhat.com/archives/fedora-announce-list/2006-January/msg00062.htmlnvd
- www.redhat.com/support/errata/RHSA-2006-0044.htmlnvd
- www.redhat.com/support/errata/RHSA-2006-0298.htmlnvd
- www.redhat.com/support/errata/RHSA-2006-0698.htmlnvd
- www.securityfocus.com/archive/1/425397/100/0/threadednvd
- www.securityfocus.com/bid/16369nvd
- www.trustix.org/errata/2006/0004nvd
- www.ubuntu.com/usn/usn-255-1nvd
- www.vmware.com/support/vi3/doc/esx-3069097-patch.htmlnvd
- www.vmware.com/support/vi3/doc/esx-9986131-patch.htmlnvd
- www.vupen.com/english/advisories/2006/0306nvd
- www.vupen.com/english/advisories/2006/2490nvd
- www.vupen.com/english/advisories/2006/4869nvd
- www.vupen.com/english/advisories/2007/0930nvd
- www.vupen.com/english/advisories/2007/2120nvd
- www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v52.Readme.htmlnvd
- www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjdnvd
- bugzilla.redhat.com/bugzilla/show_bug.cginvd
- exchange.xforce.ibmcloud.com/vulnerabilities/24305nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1138nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9962nvd
News mentions
0No linked articles in our index yet.