CVE-2018-20684

Name of the Vulnerable Software and Affected Versions Sun ZFS Storage Appliance Kit (AK) (affected versions not specified) WinSCP versions prior to 5.14 beta

Description The issue is related to insufficient input validation. In the case of WinSCP, this affects the TSCPFileSystem::SCPSink in core/ScpFileSystem.cpp, allowing a server to send arbitrary files that could potentially overwrite unrelated files on the client side. This could allow a remote attacker to gain full control over the application.

Recommendations For Sun ZFS Storage Appliance Kit (AK), at the moment, there is no information about a newer version that contains a fix for this vulnerability. For WinSCP versions prior to 5.14 beta, update to version 5.14 beta or later to resolve the issue. As a temporary workaround, consider restricting access to the TSCPFileSystem::SCPSink function in core/ScpFileSystem.cpp until a patch is available. Avoid using the scp implementation in WinSCP until the issue is resolved.