@hanno this question came up in the SSH world, relating to terminal SCP clients: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

An SCP client had some missing validation checks in download mode, allowing a malicious server to modify parts of the client's filesystem other than the ones the user authorised it to. As a side effect, the client printed diagnostics which would have given the game away – but the client was also happy to print unsanitised escape sequences sent by the SSH server, which allowed the malicious server to send a well chosen combination of 'move up, clear line of text' escapes to wipe those telltale diagnostics off the screen and allow the attack to go undetected.

In that context, the failure to sanitise escape sequences was assigned a CVE number. (In fact, two: CVE-2019-6109 and CVE-2019-6110.) But that was only because in that particular context it allowed the attacker to hide evidence of a more serious crime.

PuTTY's SCP client was not vulnerable to the 'missing validation check' issue, and didn't allow the server to make unauthorised modifications. It _did_ have the 'failure to sanitise escape sequences' issue, but we didn't regard this as a vulnerability when it _wasn't_ allowing the covering-up of a real attack, and the original researcher agreed.

(We did regard it as a _bug_, and we fixed it. But not, by itself, a vulnerability.)

@hanno this question came up in the SSH world, relating to terminal SCP clients: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

An SCP client had some missing validation checks in download mode, allowing a malicious server to modify parts of the client's filesystem other than the ones the user authorised it to. As a side effect, the client printed diagnostics which would have given the game away – but the client was also happy to print unsanitised escape sequences sent by the SSH server, which allowed the malicious server to send a well chosen combination of 'move up, clear line of text' escapes to wipe those telltale diagnostics off the screen and allow the attack to go undetected.

In that context, the failure to sanitise escape sequences was assigned a CVE number. (In fact, two: CVE-2019-6109 and CVE-2019-6110.) But that was only because in that particular context it allowed the attacker to hide evidence of a more serious crime.

PuTTY's SCP client was not vulnerable to the 'missing validation check' issue, and didn't allow the server to make unauthorised modifications. It _did_ have the 'failure to sanitise escape sequences' issue, but we didn't regard this as a vulnerability when it _wasn't_ allowing the covering-up of a real attack, and the original researcher agreed.

(We did regard it as a _bug_, and we fixed it. But not, by itself, a vulnerability.)