OpenSSH project had been working on version OpenSSH 8.0p1 in 2019 when they published that "scp" protocol thus the "scp" command has a vulnerability with verification of the file name sent by server against the one that client actually requested. This issue was mitigated in OpenSSH 8.0p1 but, was never fully applied across the platforms.
An important thing to note is that this is still an ongoing issue with different platforms. RedHat has marked the scp as "Will Not Fix" for Red Hat Enterprise Linux 7 on their official page addressing CVE-2019-6111 in OpenSSH version 7.9.
Emotional statement: as we all loved worked with scp we'll be monitoring for confirmation that this vulnerability is removed across the platforms and will gladly let you know about it 😉.
Fill out the enquiry form and we'll get back to you as soon as possible.