{"id":"CVE-2020-12062","details":"The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that \"this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol\" and \"utimes does not fail under normal circumstances.","modified":"2026-04-11T09:46:17.637251Z","published":"2020-06-01T16:15:14.260Z","references":[{"type":"ADVISORY","url":"https://github.com/openssh/openssh-portable/commit/aad87b88fc2536b1ea023213729aaf4eaabe1894"},{"type":"ADVISORY","url":"https://www.openssh.com/txt/release-8.3"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2020/05/27/1"},{"type":"FIX","url":"https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssh/openssh-portable","events":[{"introduced":"0"},{"last_affected":"8aa3455b16fddea4c0144a7c4a1edb10ec67dcc8"},{"fixed":"955854cafca88e0cdcd3d09ca1ad4ada465364a1"},{"fixed":"aad87b88fc2536b1ea023213729aaf4eaabe1894"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.2"}]}}],"versions":["ABOUT_TO_ADD_INET_ATON","AFTER_FREEBSD_PAM_MERGE","AFTER_KRB5_GSSAPI_MERGE","BEFORE_FREEBSD_PAM_MERGE","BEFORE_KRB5_GSSAPI_MERGE","POST_KRB4_REMOVAL","PRE-REORDER","PRE_CYGWIN_MERGE","PRE_DAN_PATCH_MERGE","PRE_FIXPATHS_INTEGRATION","PRE_HPUX_INTEGRATION","PRE_IPV6","PRE_KRB4_REMOVAL","PRE_NEW_LOGIN_CODE","PRE_SW_KRBV","V_1_2PRE17","V_1_2_1_PRE18","V_1_2_1_PRE19","V_1_2_1_PRE20","V_1_2_1_PRE21","V_1_2_1_PRE22","V_1_2_1_PRE23","V_1_2_1_PRE24","V_1_2_1_PRE25","V_1_2_1_PRE26","V_1_2_1_PRE27","V_1_2_2","V_1_2_2_P1","V_1_2_2_PRE28","V_1_2_2_PRE29","V_1_2_3","V_1_2_3_PRE1","V_1_2_3_PRE2","V_1_2_3_PRE3","V_1_2_3_PRE4","V_1_2_3_PRE5","V_1_2_3_TEST1","V_1_2_3_TEST2","V_1_2_3_TEST3","V_1_2_PRE10","V_1_2_PRE11","V_1_2_PRE12","V_1_2_PRE13","V_1_2_PRE14","V_1_2_PRE15","V_1_2_PRE16","V_1_2_PRE4","V_1_2_PRE5","V_1_2_PRE6","V_1_2_PRE7","V_1_2_PRE8","V_1_2_PRE9","V_2_0_0_BETA1","V_2_0_0_BETA2","V_2_0_0_TEST1","V_2_1_0","V_2_1_0_P1","V_2_1_0_P2","V_2_1_0_P3","V_2_1_1_P1","V_2_1_1_P2","V_2_1_1_P3","V_2_1_1_P4","V_2_2_0_P1","V_2_3_0_P1","V_2_5_0_P1","V_2_5_1_P1","V_2_5_1_P2","V_2_5_2_P1","V_3_0_1_P1","V_3_0_P1","V_3_1_P1","V_3_2_2_P1","V_3_4_P1","V_3_6_1_P1","V_3_8_P1","V_3_9_P1","V_4_2_P1","V_5_0_P1","V_5_1_P1","V_5_2_P1","V_5_5_P1","V_5_7_P1","V_6_0_P1","V_6_1_P1","V_6_2_P1","V_6_5_P1","V_6_6_P1","V_6_8_P1","V_6_9_P1","V_7_0_P1","V_7_1_P1","V_7_2_P1","V_7_3_P1","V_7_4_P1","V_7_5_P1","V_7_6_P1","V_7_7_P1","V_7_8_P1","V_7_9_P1","V_8_0_P1","V_8_1_P1","V_8_2_P1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12062.json","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["302129403808892202751107050716447255615","275137382540473504567894507747715995732","45176824089903249431708505459288988025","42650369721984932448816373549365574476","314108161380745870756091828391071409453","252639239344775007717805267459386561729","72105134252708737273865218759451754542"]},"signature_type":"Line","signature_version":"v1","source":"https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1","deprecated":false,"target":{"file":"scp.c"},"id":"CVE-2020-12062-39b5eba3"},{"digest":{"length":7438,"function_hash":"308835858213114162198892540639498415372"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/openssh/openssh-portable/commit/aad87b88fc2536b1ea023213729aaf4eaabe1894","deprecated":false,"target":{"file":"scp.c","function":"sink"},"id":"CVE-2020-12062-5a382a4a"},{"digest":{"length":7309,"function_hash":"53767624059814337072386877210542493620"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1","deprecated":false,"target":{"file":"scp.c","function":"sink"},"id":"CVE-2020-12062-bbe3b781"},{"digest":{"threshold":0.9,"line_hashes":["302129403808892202751107050716447255615","61496626747140544398979270959802250337","105281468172136327410663188044829880047","293086554244749760996224232632839202874","195580148751312565129272299131552896937","62754827386723772314164487033068467017","91093795874406203199923314780689690889","80045310575686873502304491569063636326","216708028325650026613906611124598911895","267214818528553513843417207949989865888","158765245001692313972144118478747865578","63414735354029722476490127892069240261","314107255444949948815984305294921132903","201088216718883056700857280629973156629","192212028164403779901204360561621057224","286506792761042218734818531975141235256","312896476630618715842742833924651703324","259473706127982983889351032975980407183","83000181967295068208842514600926261038","298663435118826884884272883130815331165","340082788827716859391783667820415712955","326618909914868997460470207450912218422","99829469656728677142853516466680587890","230402224464303796741997104396757960968","320410734860795843535174816443548679230","267570367607961992878385030191633367489","107061597165021500066445911238415806697","289806356720044768963146637049321452513","260243960107050248855121312637325053785","194739225682844158562181970494530443265","34499920914559173517755965082450825738","230496892850040593828802571910537797660","74513331631071103180190260695109362823","50008340652810922499358525931181772376","120885392690054934491661619585679522125","287194043963274900998509721959613721900","44458747903698616006063348483371826694","316508546691672080059414059357830782303","233252030710543796505253211883348519163","251303294524522309215060758302019394472","261154285554809755028701011917230766619","47604260138662383895696611698600606594","82716757682974634598437456806798515326","339562628026380855405821253447149174583","174443632761763456194541611876468838629","72865323631324555086594722244066789044","155970464046432105937355881038114428248","252556976983114577220887832534745663516","82716757682974634598437456806798515326","339562628026380855405821253447149174583","280795950746436728426598436267220946453","94853005640295156301536530480763509522","153436855944483167225029325803028562593","105751830035293369313241438730120389474","72179151947409486518325703207179625135","175621170897981045447164479825797579092","277668653804583582479783918364773324982","113991484183080694382335885884042736886","168597542689955321354994213937711084361","240419536269667880525330408125200418703","33151099816884254792673513434906421922","224529968258468223378229755745745961869","152713584736817055945937143365665948725","211946117988160896391161643716436042818","316178308796585714024499955083089956470","280795950746436728426598436267220946453","18680688248253541108941255092917070201","131212689586534513628691939966476177107","222724721650718470349355510096094049112","260229717884042119955419045501957239876","298524835033959019491944943615422372491","208880212106049173201109273280066256456","20580524280090512475815308110071033145","331933004902524566911166121531619289335","300670216331995004139625650417842821291","207336144161194161842375081300721617949","77189386757872489944687781701598284719","293219870560737882010165752088878138796","269276677097489836684562413862894015645","144770580281188077559439423940497599709","283101901284502727108791913409430652930","212763019808253940086989854761979559026"]},"signature_type":"Line","signature_version":"v1","source":"https://github.com/openssh/openssh-portable/commit/aad87b88fc2536b1ea023213729aaf4eaabe1894","deprecated":false,"target":{"file":"scp.c"},"id":"CVE-2020-12062-dc39e314"}],"vanir_signatures_modified":"2026-04-11T09:46:17Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}