[MAVEN:GHSA-Q446-82VQ-W674] Improper Limitation of a Pathname to a Restricted Directory in JCraft JSch

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\ (dot dot backslash) in a response to a recursive GET command.

Package	Affected Version
pkg:maven/com.jcraft/jsch	<= 0.1.53

Package	Fixed Version
pkg:maven/com.jcraft/jsch	= 0.1.54

ID

MAVEN:GHSA-Q446-82VQ-W674

Severity

moderate

URL

https://github.com/advisories/GHSA-q446-82vq-w674

Published

2022-05-13T01:09:33
(2 years ago)

Modified

2023-01-27T05:02:13
(20 months ago)

Rights

Maven Security Team

Other Advisories

SUSE-SU-2017:0715-1

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2016-5725
			https://access.redhat.com/errata/RHSA-2017:3115
			https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725
			https://lists.debian.org/debian-lts-announce/2020/04/msg00017.html
			https://www.exploit-db.com/exploits/40411/
			https://www.oracle.com/security-alerts/cpuApr2021.html
			https://www.oracle.com/security-alerts/cpujan2021.html
			https://www.oracle.com/security-alerts/cpuoct2020.html
			http://packetstormsecurity.com/files/138809/jsch-0.1.53-Path-Traversal.html
			http://seclists.org/fulldisclosure/2016/Sep/53
			http://www.jcraft.com/jsch/ChangeLog
			https://github.com/advisories/GHSA-q446-82vq-w674

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/com.jcraft/jsch	com.jcraft	jsch	<= 0.1.53
Fixed	pkg:maven/com.jcraft/jsch	com.jcraft	jsch	= 0.1.54

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date