Re: Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by
WinSCP does not use zlib library:
WinSCP and zlib
WinSCP and zlib
- martin
Post a reply
Before posting, please read how to report bug or request support effectively.
Bug reports without an attached log file are usually useless.
Topic review
- sgk
Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by
This has been reported as a critical (9.8) vulnerability for zlib libraries used by WinSCP - https://nvd.nist.gov/vuln/detail/cve-2022-37434
Refer to this link for details on the vulnerability found using the ReversingLabs binary scan tool - https://secure.software/nuget/packages/winscp
Vulnerability description -
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 3.x Severity and Vector Strings:
NIST CVSS scoreNIST: NVD
Base Score: 9.8 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ADP: CISA-ADP
Base Score: 9.8 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Refer to this link for details on the vulnerability found using the ReversingLabs binary scan tool - https://secure.software/nuget/packages/winscp