CVE-2016-5725 (Medium) detected in jsch-0.1.53.jar, jsch-0.1.49.jar

[mend-for-github-com[bot]]

CVE-2016-5725 - Medium Severity Vulnerability

Vulnerable Libraries - jsch-0.1.53.jar, jsch-0.1.49.jar

jsch-0.1.53.jar

JSch is a pure Java implementation of SSH2

Library home page: http://www.jcraft.com/jsch/

Path to dependency file: Resiliency-Studio/resiliency-studio-agent/pom.xml

Path to vulnerable library: ory/com/jcraft/jsch/0.1.53/jsch-0.1.53.jar

Dependency Hierarchy: - :x: **jsch-0.1.53.jar** (Vulnerable Library)

jsch-0.1.49.jar

JSch is a pure Java implementation of SSH2

Library home page: http://www.jcraft.com/jsch/

Path to dependency file: Resiliency-Studio/resiliency-studio-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/jcraft/jsch/0.1.49/jsch-0.1.49.jar

Dependency Hierarchy: - jclouds-jsch-1.9.2.jar (Root Library) - :x: **jsch-0.1.49.jar** (Vulnerable Library)

Found in HEAD commit: 27f5ba6623ed8d6b149733f3ad245fc8133f1ffc

Found in base branch: master

Vulnerability Details

Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\ (dot dot backslash) in a response to a recursive GET command.

Publish Date: 2017-01-19

URL: CVE-2016-5725

CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5725

Release Date: 2017-01-19

Fix Resolution: 0.1.54