CVE-2020-15778 not resolved in monthly security patches
search cancel

CVE-2020-15778 not resolved in monthly security patches


Article ID: 236391


Updated On:


CA API Gateway


One of our clients runs regularly security scans  on the gateway  and finds a vulnerability

The client is on the latest patchlevel  ( Layer7_API_PlatformUpdate_64bit_v10.X-CentOS-2022-01-26) 

The CVE  they have found = CVE - CVE-2020-15778 (

Are you aware of this vulnerability?  and how should we (or you) proceed on this issue?   


Release : 10.0

Component :


According the redhat site this vulnerability is not fixed and will not be fixed

The gateway runs centos but is build from the same redhat sources so there is no fix to include in the platform patch .

In order to exploit this flaw, the attacker needs to social engineer or manipulate a system administrator (who has root access on the remote server) to run scp with a malicious command line parameter.

Administrators can uninstall openssh-clients for additional protection against accidental usage of this binary.

Removing the openssh-clients package will make binaries like scp and ssh etc unavailable on that system. A

lso administrators can change the execute permissions on the scp binary.

However this mitigation will be in place until the openssh-clients package is updated.