PT-2021-5783 · Unknown+6 · Midnight Commander+5

Manfred Kaiser

Published

2021-07-09

Updated

2024-06-15

CVE-2021-36370

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Midnight Commander versions through 4.8.26

Description The issue is related to the lack of server fingerprint checking and display in Midnight Commander. This allows a remote attacker to potentially compromise data integrity by connecting to a server without verifying its authenticity. When establishing an SFTP connection, the server's fingerprint is neither checked nor displayed, resulting in the user being unable to verify the server's authenticity.

Recommendations For Midnight Commander versions through 4.8.26, consider disabling SFTP connections until a patch is available to address the lack of server fingerprint verification. As a temporary workaround, users should manually verify the server's authenticity before establishing a connection.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

ALT-PU-2022-1011

ALT-PU-2022-1068

ALT-PU-2022-1089

ALT-PU-2022-1102

AZL-6678

BDU:2022-00235

CVE-2021-36370

MGASA-2022-0086

OESA-2022-1771

OPENSUSE-SU-2022:0061-1

OPENSUSE-SU-2024:11580-1

USN-5160-1

Affected Products

Alt Linux

Astra Linux

Debian

Linuxmint

Midnight Commander

Ubuntu

PT-2021-5783 · Unknown+6 · Midnight Commander+5

CVE-2021-36370

Weakness Enumeration

Related Identifiers

Affected Products

References · 35