CVE-2020-15778

scp in OpenSSH through 8.3p1 allows command injection in scp.c remote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of «anomalous argument transfers» because that could «stand a great chance of breaking existing workflows.»