CVE-2016-5725

Name of the Vulnerable Software and Affected Versions JCraft JSch versions prior to 0.1.54

Description The issue allows remote SFTP servers to write to arbitrary files via a .. (dot dot backslash) in a response to a recursive GET command, potentially impacting the integrity of information. This is due to incorrect restriction of the directory path name with limited access.

Recommendations For versions prior to 0.1.54, update to version 0.1.54 or later to resolve the issue. As a temporary workaround, consider restricting access to the ChannelSftp.OVERWRITE mode until a patch is available. Avoid using the ChannelSftp.OVERWRITE mode in the affected JSch implementation until the issue is resolved.