WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)
References
Link | Resource |
---|---|
https://winscp.net/eng/docs/history#5.17.10 | Release Notes Vendor Advisory |
https://winscp.net/eng/docs/rawsettings | Vendor Advisory |
https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d | Patch Third Party Advisory |
https://winscp.net/tracker/1943 | Patch Vendor Advisory |
Configurations
Information
Published : 2021-01-27 13:15
Updated : 2021-02-04 07:59
NVD link : CVE-2021-3331
Mitre link : CVE-2021-3331
JSON object : View
CWE
Products Affected
winscp
- winscp