CVE-2021-3331
Summary
| CVE | CVE-2021-3331 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-01-27 21:15:00 UTC |
| Updated | 2021-02-04 15:59:00 UTC |
| Description | WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.) |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Raw Session Settings :: WinSCP | MISC | winscp.net | Vendor Advisory |
| Bug 1943 – Prevent loading session settings that can lead to remote code execution from handled URLs :: Tracker :: WinSCP | MISC | winscp.net | Patch, Vendor Advisory |
| WinSCP :: Documentation (History) | MISC | winscp.net | Release Notes, Vendor Advisory |
| Bug 1943: Prevent loading session settings that can lead to remote co… · winscp/winscp@faa96e8 · GitHub | MISC | github.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.