A security scan might report the OpenSSH command injection vulnerability (Generic).
No solution is available from Linux vendors yet. This issue is marked as Will not fix by Red Hat Enterprise Linux.
However, there is a workaround: As per upstream, because scp is based on a historical protocol called rcp, which relies on that style of argument passing, it encounters expansion problems. Making changes to how the scp command line works breaks the pattern used by scp consumers. Upstream, therefore, recommends the use of rsync instead of scp for better security. More details about supported alternatives are available at Red Hat guide (https://access.redhat.com/articles/5284081).