CVE-2018-20684 Information

Description

In WinSCP before 5.14 beta due to missing validation the scp implementation would accept arbitrary files sent by the server potentially overwriting unrelated files. This affects TSCPFileSystem::SCPSink in core/ScpFileSystem.cpp.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

http://www.securityfocus.com/bid/106526 https://github.com/winscp/winscp/commit/49d876f2c5fc00bcedaa986a7cf6dedd6bf16f54 https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt https://winscp.net/eng/docs/history https://winscp.net/tracker/1675 https://www.oracle.com/security-alerts/cpujan2020.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5