CVE-2018-20684: Input Validation
First published: Thu Jan 10 2019(Updated: )
In WinSCP before 5.14 beta, due to missing validation, the scp implementation would accept arbitrary files sent by the server, potentially overwriting unrelated files. This affects TSCPFileSystem::SCPSink in core/ScpFileSystem.cpp.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Winscp Winscp | <=5.13.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/106526
- https://github.com/winscp/winscp/commit/49d876f2c5fc00bcedaa986a7cf6dedd6bf16f54
- https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
- https://winscp.net/eng/docs/history
- https://winscp.net/tracker/1675
- https://www.oracle.com/security-alerts/cpujan2020.html
Frequently Asked Questions
What is CVE-2018-20684?
CVE-2018-20684 is a vulnerability in WinSCP before 5.14 beta that allows arbitrary files sent by the server to potentially overwrite unrelated files.
How does the CVE-2018-20684 vulnerability impact WinSCP?
The vulnerability in WinSCP allows arbitrary files sent by the server to potentially overwrite unrelated files.
What is the severity of CVE-2018-20684?
CVE-2018-20684 has a severity rating of 7.5 (high).
How can I fix the CVE-2018-20684 vulnerability in WinSCP?
To fix the CVE-2018-20684 vulnerability in WinSCP, you should update to version 5.14 beta or later.
Where can I find more information about CVE-2018-20684?
You can find more information about CVE-2018-20684 at the following references: [1] http://www.securityfocus.com/bid/106526 [2] https://github.com/winscp/winscp/commit/49d876f2c5fc00bcedaa986a7cf6dedd6bf16f54 [3] https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
- collector/nvd-index
- vendor/winscp
- canonical/winscp winscp
- version/winscp winscp/5.13.7