CVEs affecting projects tracked on Release Alert, from NVD & OSV.
CVE-2014-2735 — MEDIUM severity vulnerability | Release Alert
CVE-2014-2735
5.8
MEDIUMCVSS v2
Published
April 22, 2014
Affected
1 project
Assigned by
MITRE
Severity scale
010
Description
WinSCP before 5.5.3, when FTP with TLS is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
NuGet GalleryThe WinSCP .NET assembly is a .NET wrapper around WinSCP’s scripting interface that allows your code to connect to a remote machine and manipulate remote files over SFTP, FTP, WebDAV, S3 and SCP sessions.
The library is primarily intended for advanced automation tasks on Microsoft Windows that require conditional processing, loops or other control structures for which the basic scripting interface is too limited. The library is not a general purpose file transfer library. It particularly has a limited support for an interactive processing, and as such it is not well suited for use in GUI applications. For the same reason it is also difficult to use the assembly within a restricted environment like a web server, that limits or even restricts execution of external processes.
For documentation and examples of use, see project website.
The NuGet package includes the assembly itself and a required WinSCP executable. When installed, it adds the assembly as reference to your project and sets up WinSCP executable to be copied to project output directory, so that it can be found on run-time.