MidnightBSD

Advisories for winscp

CVE-2002-1357 HIGH

Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
cisco ios 12.1e
putty putty 0.53
cisco ios 12.0st
cisco ios 12.0s
putty putty 0.49
cisco ios 12.1ea
cisco ios 12.1t
winscp winscp 2.0.0
cisco ios 12.2
fissh ssh_client 1.0a_for_windows
putty putty 0.48
cisco ios 12.2t
cisco ios 12.2s
pragma_systems secureshell 2.0
intersoft securenetterm 5.4.1
netcomposite shellguard_ssh 3.4.6
CVE-2002-1358 HIGH

Multiple SSH2 servers and clients do not properly handle lists with empty elements or strings, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
cisco ios 12.1e
putty putty 0.53
cisco ios 12.0st
cisco ios 12.0s
putty putty 0.49
cisco ios 12.1ea
cisco ios 12.1t
winscp winscp 2.0.0
cisco ios 12.2
fissh ssh_client 1.0a_for_windows
putty putty 0.48
cisco ios 12.2t
cisco ios 12.2s
pragma_systems secureshell 2.0
intersoft securenetterm 5.4.1
netcomposite shellguard_ssh 3.4.6
CVE-2002-1359 HIGH

Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
cisco ios 12.1e
putty putty 0.53
cisco ios 12.0st
cisco ios 12.0s
putty putty 0.49
cisco ios 12.1ea
cisco ios 12.1t
winscp winscp 2.0.0
cisco ios 12.2
fissh ssh_client 1.0a_for_windows
putty putty 0.48
cisco ios 12.2t
cisco ios 12.2s
pragma_systems secureshell 2.0
intersoft securenetterm 5.4.1
netcomposite shellguard_ssh 3.4.6
CVE-2002-1360 HIGH

Multiple SSH2 servers and clients do not properly handle strings with null characters in them when the string length is specified by a length field, which could allow remote attackers to cause a denial of service or possibly execute arbitrary code due to interactions with the use of null-terminated strings as implemented using languages such as C, as demonstrated by the SSHredder SSH protocol test suite.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
cisco ios 12.1e
putty putty 0.53
cisco ios 12.0st
cisco ios 12.0s
putty putty 0.49
cisco ios 12.1ea
cisco ios 12.1t
winscp winscp 2.0.0
cisco ios 12.2
fissh ssh_client 1.0a_for_windows
putty putty 0.48
cisco ios 12.2t
cisco ios 12.2s
pragma_systems secureshell 2.0
intersoft securenetterm 5.4.1
netcomposite shellguard_ssh 3.4.6
CVE-2006-3015 HIGH

Argument injection vulnerability in WinSCP 3.8.1 build 328 allows remote attackers to upload or download arbitrary files via encoded spaces and double-quote characters in a scp or sftp URI.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-88,

Products Affected

Vendor Product Version
winscp winscp 3.8.1
CVE-2013-4852 MEDIUM

Integer overflow in PuTTY 0.62 and earlier, WinSCP before 5.1.6, and other products that use PuTTY allows remote SSH servers to cause a denial of service (crash) and possibly execute arbitrary code in certain applications that use PuTTY via a negative size value in an RSA key signature during the SSH handshake, which triggers a heap-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
winscp winscp 3.7.6
simon_tatham putty 0.53
putty putty 0.49
winscp winscp 5.1.1
putty putty 0.55
winscp winscp 3.8_beta
putty putty 0.59
putty putty 0.47
debian debian_linux 7.0
winscp winscp *
winscp winscp 5.0.6
winscp winscp 4.0.4
putty putty 0.51
putty putty 2010-06-01
winscp winscp 4.2.6
winscp winscp 5.0.2
winscp winscp 4.2.9
winscp winscp 5.1.3
winscp winscp 4.3.2
putty putty 0.46
winscp winscp 4.3.6
putty putty 0.61
winscp winscp 5.0.7
putty putty 0.56
winscp winscp 4.3.5
simon_tatham putty *
winscp winscp 5.1
winscp winscp 3.8.2
winscp winscp 5.0.8
putty putty 0.53b
winscp winscp 5.0.1
winscp winscp 5.0.5
debian debian_linux 6.0
winscp winscp 4.3.7
putty putty 0.60
winscp winscp 4.2.8
winscp winscp 5.1.2
opensuse opensuse 12.3
winscp winscp 4.4.0
winscp winscp 5.0.4
winscp winscp 5.1.4
putty putty 0.58
winscp winscp 4.3.9
putty putty 0.57
winscp winscp 4.3.4
putty putty 0.54
winscp winscp 5.0
winscp winscp 4.2.7
winscp winscp 4.3.8
debian debian_linux 7.1
putty putty 0.48
putty putty 0.45
winscp winscp 4.0.5
winscp winscp 5.0.3
winscp winscp 5.0.9
putty putty 0.52
putty putty 0.50
CVE-2014-2735 MEDIUM

WinSCP before 5.5.3, when FTP with TLS is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
winscp winscp *
winscp winscp 5.5
winscp winscp 5.5.1
CVE-2018-20684 MEDIUM

In WinSCP before 5.14 beta, due to missing validation, the scp implementation would accept arbitrary files sent by the server, potentially overwriting unrelated files. This affects TSCPFileSystem::SCPSink in core/ScpFileSystem.cpp.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
winscp winscp *
CVE-2018-20685 LOW

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-863,CWE-863,

Products Affected

Vendor Product Version
redhat enterprise_linux_eus 8.6
netapp ontap_select_deploy -
fujitsu m10-4_firmware *
fujitsu m10-4s_firmware *
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_server_aus 8.6
canonical ubuntu_linux 18.04
fujitsu m12-2s_firmware *
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_server_tus 8.6
winscp winscp *
redhat enterprise_linux_eus 8.1
fujitsu m10-1_firmware *
fujitsu m12-2_firmware *
canonical ubuntu_linux 16.04
oracle solaris 10
openbsd openssh *
siemens scalance_x204rna_firmware *
canonical ubuntu_linux 18.10
canonical ubuntu_linux 14.04
redhat enterprise_linux_eus 8.4
siemens scalance_x204rna_eec_firmware *
fujitsu m12-1_firmware *
redhat enterprise_linux_server_aus 8.2
netapp cloud_backup -
netapp element_software -
redhat enterprise_linux_eus 8.2
debian debian_linux 9.0
netapp steelstore_cloud_integrated_storage -
redhat enterprise_linux 8.0
debian debian_linux 8.0
redhat enterprise_linux_server_tus 8.4
netapp storage_automation_store -
CVE-2019-6109 MEDIUM

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.6 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-116,

Products Affected

Vendor Product Version
redhat enterprise_linux_eus 8.6
netapp ontap_select_deploy -
fujitsu m10-4_firmware *
fujitsu m10-4s_firmware *
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_server_aus 8.6
canonical ubuntu_linux 18.04
fedoraproject fedora 30
fujitsu m12-2s_firmware *
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_server_tus 8.6
winscp winscp *
redhat enterprise_linux_eus 8.1
fujitsu m10-1_firmware *
fujitsu m12-2_firmware *
canonical ubuntu_linux 16.04
openbsd openssh *
siemens scalance_x204rna_firmware *
canonical ubuntu_linux 18.10
canonical ubuntu_linux 14.04
redhat enterprise_linux_eus 8.4
siemens scalance_x204rna_eec_firmware *
fujitsu m12-1_firmware *
redhat enterprise_linux_server_aus 8.2
netapp element_software -
redhat enterprise_linux_eus 8.2
debian debian_linux 9.0
redhat enterprise_linux 8.0
debian debian_linux 8.0
redhat enterprise_linux_server_tus 8.4
netapp storage_automation_store -
CVE-2019-6110 MEDIUM

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.6 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-838,CWE-838,

Products Affected

Vendor Product Version
openbsd openssh *
netapp ontap_select_deploy -
winscp winscp *
netapp element_software -
siemens scalance_x204rna_firmware *
siemens scalance_x204rna_eec_firmware *
netapp storage_automation_store -
CVE-2019-6111 MEDIUM

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
redhat enterprise_linux_eus 8.6
apache mina_sshd 2.2.0
fujitsu m10-4_firmware *
fujitsu m10-4s_firmware *
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_server_aus 8.6
canonical ubuntu_linux 18.04
fedoraproject fedora 30
fujitsu m12-2s_firmware *
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_server_tus 8.6
winscp winscp *
redhat enterprise_linux_eus 8.1
fujitsu m10-1_firmware *
fujitsu m12-2_firmware *
canonical ubuntu_linux 16.04
openbsd openssh *
siemens scalance_x204rna_firmware *
canonical ubuntu_linux 18.10
canonical ubuntu_linux 14.04
redhat enterprise_linux_eus 8.4
siemens scalance_x204rna_eec_firmware *
fujitsu m12-1_firmware *
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_eus 8.2
freebsd freebsd *
debian debian_linux 9.0
redhat enterprise_linux 8.0
debian debian_linux 8.0
redhat enterprise_linux_server_tus 8.4
freebsd freebsd 12.0
CVE-2020-28864 HIGH

Buffer overflow in WinSCP 5.17.8 allows a malicious FTP server to cause a denial of service or possibly have other unspecified impact via a long file name.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
winscp winscp 5.17.8
CVE-2021-3331 HIGH

WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
winscp winscp *
CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

Products Affected

Vendor Product Version
redhat advanced_cluster_security 4.0
panic transmit_5 *
lancom-systems lcos_sx 4.20
crushftp crushftp *
tera_term_project tera_term *
apple macos *
redhat enterprise_linux 9.0
winscp winscp *
lancom-systems lcos_sx 5.20
redhat keycloak -
proftpd proftpd *
golang crypto *
filezilla-project filezilla_client *
paramiko paramiko *
sftpgo_project sftpgo *
redhat openshift_api_for_data_protection -
crates thrussh *
oryx-embedded cyclone_ssh *
libssh2 libssh2 *
redhat openshift_container_platform 4.0
kitty_project kitty *
redhat storage 3.0
libssh libssh *
erlang erlang/otp *
fedoraproject fedora 38
redhat openshift_dev_spaces -
asyncssh_project asyncssh *
microsoft powershell *
freebsd freebsd *
lancom-systems lanconfig -
jadaptive maverick_synergy_java_ssh_api *
netgate pfsense_plus *
redhat openshift_pipelines -
panic nova *
connectbot sshlib *
net-ssh net-ssh 7.2.0
gentoo security -
redhat openstack_platform 17.1
bitvise ssh_client *
dropbear_ssh_project dropbear_ssh *
putty putty *
redhat openshift_developer_tools_and_services -
tinyssh tinyssh *
ssh ssh *
matez jsch *
redhat openshift_data_foundation 4.0
roumenpetrov pkixssh *
redhat advanced_cluster_security 3.0
vandyke securecrt *
openbsd openssh *
apache sshj *
trilead ssh2 6401
bitvise ssh_server *
redhat cert-manager_operator_for_red_hat_openshift -
redhat openshift_serverless -
redhat openstack_platform 16.1
redhat openshift_virtualization 4
thorntech sftp_gateway_firmware *
redhat discovery -
russh_project russh *
netgate pfsense_ce *
netsarang xshell_7 *
redhat jboss_enterprise_application_platform 7.0
lancom-systems lcos_lx -
lancom-systems lcos_fx -
debian debian_linux 10.0
redhat enterprise_linux 8.0
redhat single_sign-on 7.0
redhat openshift_gitops -
apache sshd *
lancom-systems lcos *
ssh2_project ssh2 *
redhat ceph_storage 6.0
fedoraproject fedora 39
redhat openstack_platform 16.2
CVE-2024-31497

In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.

Products Affected

Vendor Product Version
fedoraproject fedora 38
winscp winscp *
tortoisegit tortoisegit *
fedoraproject fedora 40
putty putty *
filezilla-project filezilla_client *
fedoraproject fedora 39
tigris tortoisesvn *