Arbitrary file write via path traversal in SCP client
Summary
AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Prior to 2.23.1, a malicious SSH server can write arbitrary files on the asyncssh SCP client's filesystem by sending filenames containing ../ traversal sequences because _parse_cd_args in scp.py returns server-provided names verbatim and _recv_files joins them to the destination path without enforcing the target directory boundary. This issue is fixed in version 2.23.1. A flaw was found in AsyncSSH, a Python package for SSHv2 protocol implementation. A malicious SSH server could exploit this vulnerability by sending specially crafted filenames containing directory traversal sequences to an AsyncSSH SCP client. This could allow the server to write arbitrary files to the client's filesystem, leading to unauthorized data modification or system disruption. This Important flaw in AsyncSSH's SCP client allows a malicious SSH server to perform arbitrary file writes on the client's filesystem through directory traversal. This occurs when an AsyncSSH SCP client connects to a compromised or malicious server, enabling unauthorized data modification or system disruption on the client. Red Hat severity: Important — CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H). Weakness: CWE-22. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- The core risk of this flaw is that the malicious server uses a path traversal trick to write files where it shouldn't on your client (like overwriting /etc/shadow or critical system binaries). By making the container's root filesystem read-only, you completely neutralize this attack. Even if the vulnerability is triggered, the container's kernel will block the unauthorized write attempt.
Official advisory · high-confidence parse· fetched 30 seconds ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.