The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
Created openssh tracking bugs for this issue:
Affects: fedora-all [bug 1506631]
It seems the maximum impact of this flaw is that the attacker can create an extremely large number of zero length files to fill up a harddisk on a remote server which the attacker has read-only access to.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:0980 https://access.redhat.com/errata/RHSA-2018:0980