CVE Vulnerability

CVE-2021-36370

An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/MidnightCommander/mc/blob/master/src/vfs/sftpfs/connection.c Exploit Third Party Advisory
https://github.com/MidnightCommander/mc/blob/5c1d3c55dd15356ec7d079084d904b7b0fd58d3e/src/vfs/sftpfs/connection.c#L484 Exploit Third Party Advisory
https://sourceforge.net/projects/mcwin32/files/ Product Third Party Advisory
https://midnight-commander.org/ Vendor Advisory
https://mail.gnome.org/archives/mc-devel/2021-August/msg00008.html Release Notes Third Party Advisory
https://docs.ssh-mitm.at/CVE-2021-36370.html Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:midnight-commander:midnight_commander:*:*:*:*:*:*:*:*
Information

Published : 2021-08-30 07:15

Updated : 2021-09-08 01:41

NVD link : CVE-2021-36370

Mitre link : CVE-2021-36370

Products Affected
No products.
CWE
CWE-287