Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Username

Subject

Message body

Font colour:

Font size:

[quote="sgk"]This has been reported as a critical (9.8) vulnerability for zlib libraries used by WinSCP - https://nvd.nist.gov/vuln/detail/cve-2022-37434
[quote]Vulnerability description - 
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Metrics   
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 3.x Severity and Vector Strings:

NIST CVSS scoreNIST: NVD
Base Score: 9.8 CRITICALVector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ADP:  CISA-ADP
Base Score: 9.8 CRITICALVector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
[/quote]
Refer to this link for details on the vulnerability found using the ReversingLabs binary scan tool - https://secure.software/nuget/packages/winscp[/quote]

Options

Disable BBCode in this post

Notify me when a reply is posted (registered users only)

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

Filename

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

File Comment

Options

Private file (available to author and site moderators only)

Topic review

martin

Re: Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

2025-08-01

WinSCP does not use zlib library:
WinSCP and zlib

sgk

Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

2025-07-30 19:37

This has been reported as a critical (9.8) vulnerability for zlib libraries used by WinSCP - https://nvd.nist.gov/vuln/detail/cve-2022-37434

Vulnerability description -
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 3.x Severity and Vector Strings:

NIST CVSS scoreNIST: NVD
Base Score: 9.8 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ADP: CISA-ADP
Base Score: 9.8 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Refer to this link for details on the vulnerability found using the ReversingLabs binary scan tool - https://secure.software/nuget/packages/winscp

Post a reply

Topic review

Re: Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

Documentation

Support

Associations

Follow Us