{"id":"CVE-2018-20684","details":"In WinSCP before 5.14 beta, due to missing validation, the scp implementation would accept arbitrary files sent by the server, potentially overwriting unrelated files. This affects TSCPFileSystem::SCPSink in core/ScpFileSystem.cpp.","modified":"2025-11-14T08:35:27.047554Z","published":"2019-01-10T21:29:00.297Z","references":[{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106526"},{"type":"FIX","url":"https://github.com/winscp/winscp/commit/49d876f2c5fc00bcedaa986a7cf6dedd6bf16f54"},{"type":"ADVISORY","url":"https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt"},{"type":"ADVISORY","url":"https://winscp.net/eng/docs/history"},{"type":"FIX","url":"https://winscp.net/tracker/1675"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/winscp/winscp","events":[{"introduced":"0"},{"fixed":"49d876f2c5fc00bcedaa986a7cf6dedd6bf16f54"}]}],"versions":["5.10","5.10.1","5.10.2","5.10.3","5.10.4","5.11","5.11.1","5.11.2","5.11.3","5.12","5.12.1","5.12.2","5.13","5.13.1","5.13.2","5.13.3","5.13.4","5.7.6","5.7.7","5.8","5.8.1","5.8.2","5.8.3","5.8.4","5.9","5.9.1","5.9.2","5.9.3","5.9.4","5.9.5","5.9.6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-20684.json","vanir_signatures":[{"signature_type":"Line","id":"CVE-2018-20684-7e525f07","digest":{"threshold":0.9,"line_hashes":["190059343526321250718249722846150668288","265185899346947669849958001449947920961","207441580209763168162942788988296410514","96551852497919177171655564292665931904"]},"deprecated":false,"target":{"file":"source/core/ScpFileSystem.cpp"},"source":"https://github.com/winscp/winscp/commit/49d876f2c5fc00bcedaa986a7cf6dedd6bf16f54","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2018-20684-8f05019a","digest":{"length":7337,"function_hash":"94415055861517891977301272192252666951"},"deprecated":false,"target":{"file":"source/core/ScpFileSystem.cpp","function":"TSCPFileSystem::SCPSink"},"source":"https://github.com/winscp/winscp/commit/49d876f2c5fc00bcedaa986a7cf6dedd6bf16f54","signature_version":"v1"}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}