This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Winscp First view 2002-12-23
Product Winscp Last view 2024-04-15
Version Type Application
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:a:winscp:winscp:2.0.0:*:*:*:*:*:*:* 15
cpe:2.3:a:winscp:winscp:3.8.1:*:*:*:*:*:*:* 12
cpe:2.3:a:winscp:winscp:3.5.6:*:*:*:*:*:*:* 11
cpe:2.3:a:winscp:winscp:3.6:*:*:*:*:*:*:* 11
cpe:2.3:a:winscp:winscp:4.0.2:*:*:*:*:*:*:* 11
cpe:2.3:a:winscp:winscp:4.0.3:*:*:*:*:*:*:* 11
cpe:2.3:a:winscp:winscp:3.6.1:*:*:*:*:*:*:* 11
cpe:2.3:a:winscp:winscp:3.6.5_beta:*:*:*:*:*:*:* 11
cpe:2.3:a:winscp:winscp:3.5.5_beta:*:*:*:*:*:*:* 11
cpe:2.3:a:winscp:winscp:3.8.2:*:*:*:*:*:*:* 11
cpe:2.3:a:winscp:winscp:3.6.6:*:*:*:*:*:*:* 11
cpe:2.3:a:winscp:winscp:3.6.7:*:*:*:*:*:*:* 11
cpe:2.3:a:winscp:winscp:4.3.4:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.3.2:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.0.4:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.3.9:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.0:beta:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.0.7:beta:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.0.9:rc:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.2.9:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.1:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.0.8:rc:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.0.1:beta:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.4.0:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:3.8_beta:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.0.5:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.0.3:beta:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.3.5:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.3.7:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:3.8.1_build328:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.1.3:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.1.2:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.1.1:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.3.8:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.2.8:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.3.6:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:3.7.6:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.0.6:beta:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.0.5:beta:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.0.4:beta:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.0.2:beta:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.2.6:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:4.2.7:*:*:*:*:*:*:* 10
cpe:2.3:a:winscp:winscp:5.1.4:*:*:*:*:*:*:* 9
cpe:2.3:a:winscp:winscp:5.5:*:*:*:*:*:*:* 8
cpe:2.3:a:winscp:winscp:5.5.1:*:*:*:*:*:*:* 8
cpe:2.3:a:winscp:winscp:5.17.8:*:*:*:*:*:*:* 4

Related : CVE

  Date Alert Description
5.9 2024-04-15 CVE-2024-31497

In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.

5.9 2023-12-18 CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

9.8 2021-01-27 CVE-2021-3331

WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)

9.8 2020-11-23 CVE-2020-28864

Buffer overflow in WinSCP 5.17.8 allows a malicious FTP server to cause a denial of service or possibly have other unspecified impact via a long file name.

5.9 2019-01-31 CVE-2019-6111

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

6.8 2019-01-31 CVE-2019-6110

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

6.8 2019-01-31 CVE-2019-6109

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

5.3 2019-01-10 CVE-2018-20685

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

7.5 2019-01-10 CVE-2018-20684

In WinSCP before 5.14 beta, due to missing validation, the scp implementation would accept arbitrary files sent by the server, potentially overwriting unrelated files. This affects TSCPFileSystem::SCPSink in core/ScpFileSystem.cpp.

5.8 2014-04-22 CVE-2014-2735

WinSCP before 5.5.3, when FTP with TLS is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

6.8 2013-08-19 CVE-2013-4852

Integer overflow in PuTTY 0.62 and earlier, WinSCP before 5.1.6, and other products that use PuTTY allows remote SSH servers to cause a denial of service (crash) and possibly execute arbitrary code in certain applications that use PuTTY via a negative size value in an RSA key signature during the SSH handshake, which triggers a heap-based buffer overflow.

9.3 2007-09-17 CVE-2007-4909

Interpretation conflict in WinSCP before 4.0.4 allows remote attackers to perform arbitrary file transfers with a remote server via file-transfer commands in the final portion of a (1) scp, and possibly a (2) sftp or (3) ftp, URL, as demonstrated by a URL specifying login to the remote server with a username of scp, which is interpreted as an HTTP scheme name by the protocol handler in a web browser, but is interpreted as a username by WinSCP. NOTE: this is related to an incomplete fix for CVE-2006-3015.

7.1 2006-06-14 CVE-2006-3015

Argument injection vulnerability in WinSCP 3.8.1 build 328 allows remote attackers to upload or download arbitrary files via encoded spaces and double-quote characters in a scp or sftp URI.

10 2002-12-23 CVE-2002-1360

Multiple SSH2 servers and clients do not properly handle strings with null characters in them when the string length is specified by a length field, which could allow remote attackers to cause a denial of service or possibly execute arbitrary code due to interactions with the use of null-terminated strings as implemented using languages such as C, as demonstrated by the SSHredder SSH protocol test suite.

10 2002-12-23 CVE-2002-1359

Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.

10 2002-12-23 CVE-2002-1358

Multiple SSH2 servers and clients do not properly handle lists with empty elements or strings, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite.

10 2002-12-23 CVE-2002-1357

Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite.

CWE : Common Weakness Enumeration

%idName
35% (5) CWE-20 Improper Input Validation
7% (1) CWE-354 Improper Validation of Integrity Check Value
7% (1) CWE-338 Use of Cryptographically Weak PRNG
7% (1) CWE-264 Permissions, Privileges, and Access Controls
7% (1) CWE-189 Numeric Errors
7% (1) CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflo...
7% (1) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
7% (1) CWE-116 Improper Encoding or Escaping of Output
7% (1) CWE-88 Argument Injection or Modification
7% (1) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...

CAPEC : Common Attack Pattern Enumeration & Classification

id Name
CAPEC-41 Using Meta-characters in E-mail Headers to Inject Malicious Payloads
CAPEC-47 Buffer Overflow via Parameter Expansion
CAPEC-88 OS Command Injection
CAPEC-133 Try All Common Application Switches and Options

Oval Markup Language : Definitions

OvalID Name
oval:org.mitre.oval:def:5849 Multiple Vendors SSH2 "incorrect length fields" Vulnerability
oval:org.mitre.oval:def:5721 Multiple Vendors SSH2 "lists with empty elements or multiple separators" Vuln...
oval:org.mitre.oval:def:5848 Multiple Vendors SSH2 "buffer overflow" Vulnerability
oval:org.mitre.oval:def:5797 Multiple Vendors SSH2 "null characters in strings" Vulnerability

Open Source Vulnerability Database (OSVDB)

id Description
40519 WinSCP Protocol Handler Command Line Switch Injection Arbitrary File Transfer
26338 WinSCP scp/sftp Protocol Handler Arbitrary Command Injection
8045 SSH2 Server/Client Null Character String Arbitrary Command Execution
8044 Multiple Vendor SSH2 Server/Client Large Field Overflows
8043 SSH2 Server/Client Empty Element List Arbitrary Command Execution
8042 SSH2 Server/Client Incorrect Length Specifiers Arbitrary Code Execution

OpenVAS Exploits

id Description
2005-11-03 Name : SSH Multiple Vulns
File : nvt/ssh_multivulns_16122002.nasl

Snort® IPS/IDS

Date Description
2014-01-10 Putty Server key exchange buffer overflow attempt
RuleID : 10010 - Type : SERVER-OTHER - Revision : 8

Nessus® Vulnerability Scanner

id Description
2019-01-16 Name: The remote Fedora host is missing a security update.
File: fedora_2019-f6ff819834.nasl - Type: ACT_GATHER_INFO
2014-06-13 Name: The remote openSUSE host is missing a security update.
File: openSUSE-2013-655.nasl - Type: ACT_GATHER_INFO
2014-06-13 Name: The remote openSUSE host is missing a security update.
File: openSUSE-2013-650.nasl - Type: ACT_GATHER_INFO
2014-04-18 Name: The remote Windows host has an application that is affected by multiple vulne...
File: winscp_5_5_3.nasl - Type: ACT_GATHER_INFO
2014-02-07 Name: The remote Windows host has an application installed that is affected by an i...
File: winscp_5_1_6.nasl - Type: ACT_GATHER_INFO
2013-09-30 Name: The remote Fedora host is missing a security update.
File: fedora_2013-14794.nasl - Type: ACT_GATHER_INFO
2013-09-15 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201309-08.nasl - Type: ACT_GATHER_INFO
2013-08-22 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201308-01.nasl - Type: ACT_GATHER_INFO
2013-08-21 Name: The remote Fedora host is missing a security update.
File: fedora_2013-14676.nasl - Type: ACT_GATHER_INFO
2013-08-21 Name: The remote Fedora host is missing a security update.
File: fedora_2013-14656.nasl - Type: ACT_GATHER_INFO
2013-08-20 Name: The remote Fedora host is missing a security update.
File: fedora_2013-14706.nasl - Type: ACT_GATHER_INFO
2013-08-13 Name: The remote Windows host has an application that is affected by a remote integ...
File: filezilla_372.nasl - Type: ACT_GATHER_INFO
2013-08-13 Name: The remote Windows host has an SSH client that is affected by multiple vulner...
File: putty_063.nasl - Type: ACT_GATHER_INFO
2013-08-13 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-2736.nasl - Type: ACT_GATHER_INFO
2013-08-08 Name: The remote FreeBSD host is missing a security-related update.
File: freebsd_pkg_4b448a96ff7311e2b28d080027ef73ec.nasl - Type: ACT_GATHER_INFO
2010-09-01 Name: The remote device is missing a vendor-supplied security patch.
File: cisco-sa-20021219-ssh-packethttp.nasl - Type: ACT_GATHER_INFO
2007-09-14 Name: The remote Windows host has a program that allows arbitrary file access.
File: winscp_uri_handler_file_access2.nasl - Type: ACT_GATHER_INFO
2006-06-21 Name: The remote Windows host has an application that allows arbitrary file access.
File: winscp_uri_handler_file_access.nasl - Type: ACT_GATHER_INFO
2003-03-14 Name: The remote device is missing a vendor-supplied security patch.
File: CSCdz60229.nasl - Type: ACT_GATHER_INFO
2002-12-20 Name: It may be possible to crash the SSH server on the remote host.
File: ssh_multivulns_16122002.nasl - Type: ACT_GATHER_INFO